Malvertising on Microsoft Edge’s News Feed pushes tech support scams

While Google Chrome still dominates as the top browser, Microsoft Edge, which is based on the Chromium source code, is gradually gaining more users. Perhaps more importantly, it is the default browser on the Microsoft Windows platform and as such some segments of its user base are of particular interest to fraudsters.

We have tracked and observed a malvertising campaign on the Microsoft Edge News Feed used to redirect victims to tech support scam pages. The scheme is simple and relies on threat actors inserting their advertisements on the Edge home page and trying to lure users with shocking or bizarre stories.

In this blog post, we raise awareness and expose this scam operation that has been going on for at least two months.

Overview

The Microsoft Edge News Feed is a collection of thumbnails alternating between news content, traffic updates and advertisements. We have identified several ads that are malicious and redirect unsupecting users to tech support scams.

The redirection flow can be summarized in the diagram below:

b2602132998df90c0717b83b83140d778da70cd86597de0360c72f96aa0022ea

Technical details

When a user clicks on one of the malicious ads, a request to the Taboola ad network is made via an API (api.taboola.com) to honor the click on the ad banner. The server will respond with the next URL to load, with the folling format:

document.location.replace('https:\/\/[scammer domain]\/{..}\/?utm_source=taboola&utm_medium=referral

The first request to one of those malicious domains retrieves a Base64 encoded JavaScript whose goal is to check the current visitor and determine if they are the potential target.

b0bb704627c37453d668d9b2dec887c741f099abd1e475fec67739f1a6eae673

An original version of this script can be found here, while a beautified version can be found here.

The goal of this script is to only show the malicious redirection to potential victims, ignoring bots, VPNs and geolocations that are not of interest that are instead shown a harmless page related to the advert.

This scheme is meant to trick innocent users with fake browser locker pages, very well known and used by tech support scammers. What’s worth noticing is the cloud infrastructure that is being leveraged here, making it very difficult to block.

9ae161e25d53a8385f72dbb61201a234f12593226576334a5baeaf47a1bd150c

These are subdomains on ondigitalocean.app which are constantly changing; in the span of 24 hours, we collected over 200 different hostnames.

Infrastructure

The advertisements displayed on the Edge News Feed are linked with the following domains (this list is not exhaustive):

  • feedsonbudget[.]com
  • financialtrending[.]com
  • foddylearn[.]com
  • glamorousfeeds[.]com
  • globalnews[.]cloud
  • hardwarecloseout[.]com
  • humaantouch[.]com
  • mainlytrendy[.]com
  • manbrandsonline[.]com
  • polussuo[.]com
  • newsagent[.]quest
  • newsforward[.]quest
  • puppyandcats[.]online
  • thespeedoflite[.]com
  • tissatweb[.]us
  • trendingonfeed[.]com
  • viralonspot[.]com
  • weeklylive[.]info
  • everyavenuetravel[.]site

One of the domains,tissatweb[.]us, which was also publicly reported for hosting a browser locker has interesting whois data:

Registrant Email: sumitkalra1683@gmail[.]com

That email address is associated with the following additional domains:

  • tissat[.]us
  • mvpconsultant[.]us
  • aksconsulting[.]us
  • furnitureshopone[.]us
  • minielectronic[.]in
  • antivirusphonenumber[.]org
  • quickbooktechnicalsupport[.]org
  • printertechnicahelp[.]com
  • comsecurityessentials[.]support
  • decfurnish[.]com
  • netsecurity-essential[.]com
  • mamsolutions[.]us
  • mamsolution[.]us
  • a-techsolutions[.]us

The email address belongs to an individual named Sumit Kalra who is listed as a director for Mws Software Services Private Limited, a company located in Delhi whose principal business activity is “Computer and related activities”.

Protection

This particular campaign is currently one of the biggest we are seeing in terms of telemetry noise.

6e1e8995a971104fbc7fd1046b852ee06a8c7be4003464cc4d73d5c1008d2ebf

The fingerprinting to avoid detection is interesting and more sophisticated than usual. We will continue to expose and report abusive infrastructure used for scams.

Malwarebytes users were already protected against this tech support scam thanks to our Browser Guard extension.


Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon using the button below

Digital Patreon Wordmark FieryCoralv2

To keep up to date follow us on the below channels.

join
Click Above for Telegram
discord
Click Above for Discord
reddit
Click Above for Reddit
hd linkedin
Click Above For LinkedIn