Taboola ads exploited to serve up tech support scams

As always, users need to be careful about what they click.

Taboola ads exploited to serve up tech support scams

Criminals are exploiting users' natural sense of curiosity with native advertisements to serve up tech support scam pages.

The malvertising campaign works by abusing Taboola ads on Microsoft's MSN.com web portal. Taboola is one of the main providers of sponsored stories on news websites, typically appearing as "More stories from around the web" or "You may also like" promoted content.

But in this particular scam campaign clicking on a Taboola-sponsored article leads to a fake tech support page with the domain name 4vxadfcjdgbcmn[.]ga.

Taboola

Figure 1: Automatic redirection from click on promoted story to scam page

Jérôme Segura, a malware researcher at Malwarebytes, says the campaign uses repetition to scare unsuspecting users into compliance:

"The fraudulent page cannot be closed normally because it uses code that repeats the warning indefinitely. Unfortunately, this is enough to scare many folks and trick them into calling what they think is Microsoft support. Instead, they will be dealing with fake technicians whose goal is to extort hundreds of dollars from them."

Tech support scammers are known for exploiting bugs, impersonating ISPs, and using scare tactics to trick people. This native advertising technique, however, ranks among the more complex tech scammer ploys.

To pull it off, the rogue advertiser has to basically build up a reputation for themselves. How do they do that? By creating a fake news site called Infinity Media that uses conditional redirects to return certain results based upon the profile of the user. In that way, they can use SEO-heavy stories as decoys to serve up whatever content they want.

News

Figure 3: Stories designed for click-bait. (Source: Malwarebytes)

That's not even the end of it.

A WHOIS search of Infinity Media yields an email account, bhanutomar90nk@gmail[.]com, that's responsible for having registered something called micro-soft-system-alert2[.]online. This resource, in turn, resolves to 108.167.146.132, where lots of different phishing sites, tech support pages, and similarly bogus news portals are hosted.

Connectingthedots

Figure 7: Connecting the fake news sites to the tech support domain. (Source: Malwarebytes)

Just in case it's not already clear, Segura has the moral of the story for us:

"Users should be aware that even on a trusted platform, they should watch what they click on and be careful of sensationalist stories that may be used as click bait."

That goes especially for stories that are promoted. True, the content discovery network might be trustworthy. But you don't know who's creating the content and for what purpose.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, ,

2 Responses

  1. Michael Ponzani

    October 2, 2017 at 2:09 pm #

    That's why I never click on those sites. They are big ads, basically. If I ever get those web pages I shut the computer down through my power strip, let it reboot and the problem generally goes away. Then I run my AV/malware programs and my computer is OK. I may not be OK, my computer is.

  2. David Lewis

    October 2, 2017 at 6:43 pm #

    I will never understand why anyone would add taboola to their website. Don't they realize how damaging it is to their brand?! And are they really that desparate?!

Leave a Reply