An ongoing malvertising campaign is injecting ads in the Microsoft Edge News Feed to redirect potential victims to websites pushing tech support scams.
Microsoft Edge is currently the default web browser on computers running the Windows operating system and it currently has a 4.3% market share worldwide, according to Statcounter's Global Stats.
This scam operation has been running for at least two months, according to Malwarebytes' Threat Intelligence Team, who said this is one of the most extensive campaigns at the moment based on the amount of telemetry noise it generates.
This is not surprising considering its scale, with the attackers switching between hundreds of ondigitalocean.app subdomains to host their scam pages within a single day.
The several malicious ads they're injecting into the Edge News Feed timeline are also linked to more than a dozen domains, at least one of them (tissatweb[.]us) also known for hosting a browser locker in the past.
The redirection flow used to send Edge users starts with a check of the targets' web browsers for several settings, such as timezone, to decide if they are worth their time. If not, they'll send them to a decoy page.
To redirect to their scam landing pages, the threat actors use the Taboola ad network to load a Base64 encoded JavaScript script designed to filter the potential victims.
"The goal of this script is to only show the malicious redirection to potential victims, ignoring bots, VPNs and geolocations that are not of interest that are instead shown a harmless page related to the advert," Malwarebytes explained.
"This scheme is meant to trick innocent users with fake browser locker pages, very well known and used by tech support scammers."
While Malwarebytes didn't say what happens if you call the scammers' phone number, in most cases, they would lock your computer using various methods or tell you that your device is infected and you need to purchase a support license.
Either way, once they connect to your computer to help you, the scammers will try to convince their victims to pay for an expensive tech support contract with no benefit to the victim.
"In partnership with our advertising providers, we have removed this content and blocked the advertiser from our networks," a Microsoft spokesperson told BleepingComputer.
"We remain dedicated to our user's safety and will continue to work with our partners to detect, eliminate, and provide new technological solutions to prevent malware attacks and address these threats."
Update: Added Microsoft statement.
Comments
NoneRain - 1 year ago
"Hello, your computer has virus"
Jokes aside, as MS News grows, Malvertising become more interesting. Doubt they'll address this stuff the way they should, just llike Google that doesn't do a great job. I reported a dozen of malicious ads, and saw a ton of "illegal licenses" stores.