Rogue ads serve up tech support scams, believed from India
Rogue ads serve up tech support scams, believed from India

Security researchers have discovered that tech support scammers are targeting victims through the abuse of native ads and content discovery platforms, such as Taboola.

According to a blog post by Jérôme Segura, lead malware intelligence analyst at Malwarebytes, tech support scammers are using Taboola to deliver malvertising on MSN.

“While clicking on a story promoted by Taboola – a leading global discovery platform which Microsoft signed a deal within 2016 – we were redirected to a tech support scam page. The warning claims that our computer has crashed and that we must call a number for immediate assistance,” said Segura.

He added that the fraudulent page cannot be closed normally because it uses code that repeats the warning indefinitely. “Unfortunately, this is enough to scare many folks and trick them into calling what they think is Microsoft support. Instead, they will be dealing with fake technicians whose goal is to extort hundreds of dollars from them.”

According to the researcher, the scammer created a bogus news site (infinitymedia[.]online) which does have actual content but is performing conditional redirects, also known as ‘cloaking'. A conditional redirect is usually a server-side mechanism that profiles the user and returns a particular response. Segura said that if the server determines that a bot or crawler is making a request, it may in turn either deny it or simply serve the expected content (decoy). 

“Similarly, if the user is running Internet Explorer, is from North America and their IP address appears to have hit the server for the first time, they may receive a scammy page instead,” he said.

In the case of malvertising on MSN, the user was conditionally redirected to another site (the tech support scam page), and never saw the content they were looking for. Infinity Media's domain can be traced back to India, where a lot of tech support scams come from.

Segura noted that the domain registrant's email is also linked to tech support scams domains.

“This particular actor made the mistake of reusing the same host server for domains he had created before. For example, if we take micro-soft-system-alert2[.]online which is registered to his email address, we notice that it resolves to 108.167.146.132, a server full of tech support scams and phishing sites, including the one used in this particular malvertising attack, namely 4vxadfcjdgbcmn[.]ga,” said Segura.

The researcher said that the fraudulent advertiser was reported to Taboola, which is undertaking a review of this vendor.

“Users should be aware that even on a trusted platform, they should watch what they click on and be careful of sensationalist stories that may be used as click bait,” said Segura.

Dan Smith, director and  head of advertising at Gowling WLG, told SC Media UK that at its best, native advertising can provide content that audiences want to read and an additional revenue stream for publishers.

“But site owners need to do their due diligence and to work with providers to ensure high quality content – malvertising, clickbait and other content which falls short of a publisher's usual editorial standards can damage brand and reputation, while incorrectly labelled native ads (which confuse the reader into thinking they are editorial) can give rise to regulatory concerns,” he said.

“Since native advertising closely mirrors the form of editorial, it follows that users exposed to scams and malicious content through native content will turn first to the website owner with their grievance, not Taboola, Outbrain or the relevant content platform."

Mark James, security specialist at ESET, told SC Media UK that people are used to clicking popups in windows- “if it's an error, there's a popup, if there's a question it's usually a popup, and if the programmer or developer wants to ask a question there's usually a popup.”

“We as humans are skim readers, we generally read the first line, some of the middle stuff and usually the last line, our brains are looking for three things: What's Wrong (usually the first line) How can we fix it ( the middle bit ) and lastly if we are lucky can we fix it right now ( usually if available, at the bottom ). If we are presented with all that information in one easy to manage popup, there is a good chance it's going to get clicked.” He said.

“Often in these cases your only defence is common sense and the ability to decide if “it's too good to be true”- in most cases if it is then it's a scam. I know you hear it all the time, but it really is as simple as thinking before you click - it could be the difference between a close call and being a victim.”