Scammers capitalize on Black Friday week with massive malvertising campaign

Black Friday is the annual kick off to the shopping season for brick and mortar and online retailers. However, it’s not just businesses that rejoice in seeing the afflux of customers wanting to spend money. Scammers are waiting around the corner ready to take advantage of the situation in any way they can.

Case in point, a malicious advertiser has been ramping up a fraudulent campaign via Google ads for the popular Walmart brand. Perhaps due to the upcoming Black Friday shopping deals, we are seeing a dramatic increase in traffic towards a number of malicious sites registered for the purpose of serving tech support scams.

We collected all the data that we found about this malvertising campaign and shared it with Google who acknowledged our notification.

The advert

Back in July we saw a malvertising campaign where the threat actor was bidding on popular keywords such as ‘youtube’ and ‘facebook’. This time it appears they are exclusively targeting ‘walmart’ and the volume we are seeing in our telemetry has gone from a handful of hits to thousands in the past two days.

39fbdb2fbba12651b30a7794338e32b886cbb444acb2b03bd28dd36e273c727c

We believe it might simply be due to the fact that online searches for retailers (not limited to Walmart) have gone up in the days leading to Black Friday sales. The crooks are simply riding that wave and benefiting from increased traffic.

Here’s how the malicious redirection happens: first the user searches for the word ‘walmart’ in Google. Based on their location and other factors (cookies, etc.) a malicious ad may be displayed at the the top. Although it looks legitimate, unsuspecting users clicking on it will be redirected to a tech support scam page claiming their computer is infected.

66bb037756844ef5971b5a47323698c9298b7e75ee24b24957799ff81c6404f6

Visually the advert looks legitimate as it appears to display the official website URL, although as we’ll come to see that does not mean anything. In fact, the true destination URL (adurl) is not explicitly shown to users and requires some traffic inspection to be able to catch it.

7109ae03523cc5a5893c5cb69f8bd25a016ceae968003ae74a60995cbe97cb94

The Google link itself creates a series of redirects. We can finally see the destination URL (advertiser’s domain which is nveswillrema[.]ga). That should raise some eyebrows due to being a top level domain often used by scammers. In total, we have identified over 50 different advertiser domains registered for the purpose of malvertising (please see IOCs section).

We also spot a URL for the legitimate Walmart store whose sole purpose is to deceive the ad network via a process known as cloaking. If you click on this ad and are not the intended victim, you will be redirected to the Walmart site and never see anything malicious.

4e0a72d9ea422f257a422bfcfdcf57ad5468ecdd67ea34b185eed9b7d4d84c37

However, if your IP address and browser profile matches, the threat actor will instead redirect you to a tech support scam page. Because this campaign has gained so much momentum, it has lead some people to wonder if the Walmart site itself had been hacked. The Walmart site is not hacked but users are clicking on ads that are malicious. Below is the traffic redirection that happens when the right victim click on the ad:

cfcbe727714fc16ca889ab31fe9c2d72e7713571b2597c21ae6dfbc117786061

The browser locker

The threat actors are using a number of disposable domains for the tech support scam page, also making it more difficult to block. The fake warnings contain audio to scare users and trick them into calling a phone number for assistance.

Bogus tech support agents are at the ready for you to let them gain remote access to your computer. Depending on their skills and luck, they may be able to steal thousands of dollars from a victim’s bank account at once.

294ec35489522657f81e27db7a1c342dec30c9f8345e559cc1cf9bb891fc7d83

Monetizing clicks for badness

Ads can be deceiving and unfortunately crooks will always keep trying to abuse the system. The way search engines are designed makes it even easier to lead victims down the wrong path because ads or sponsored results tend to be displayed prominently.

As humans we tend to take the path of least resistance and we will click whatever comes first, even if it’s an (malicious) ad. In the best case scenario, the retailer will pay for each click instead of getting ‘organic’ SEO traffic. In the worst case, a malicious advertiser will hijack the click and redirect them to a page of their choice.

f6856db38a4db14b0c697fd09b948dfa2e30ab2324afd4a2ed85316f746bdfd1

Visiting the retailer’s website directly by typing its address may be wiser, provided you don’t typo it! Or you could also click on the link at the very right of the page which gives high level information about the company. Unfortunately, this area of the screen tends to be cooler than right beneath the search results, meaning it gets less attention and clicks.

We have reported the ads we were able to identify to Google.

Indicators of Compromise

Domains used by the advertiser:

1keto[.]2022ketoabsolut[.]ru[.]com
1ketogo[.]shop
2022ketoabsolut[.]ru[.]com
angelbakery[.]cfd
barnevebarjekind[.]ga
carringwattspecinchic[.]ga
cegbakery[.]bar
commercialpropertyins[.]com
ecarti[.]ga
eternaluniversity[.]com
factrazor[.]com
fepheringwoodschecto[.]ga
firmcijerpa[.]ga
katherinemaldonado[.]xyz
katherinestokes[.]click
kellyrobertson[.]click
ketis[.]2022ketoabsolut[.]ru[.]com
keto-nummi[.]shop
kevinstevens[.]xyz
kikilosens[.]xyz
kimpage[.]xyz
kokolosinb[.]xyz
lahmulidedif[.]ga
leonawells[.]click
lidentebitinf[.]ga
lindalewis[.]xyz
loismatthews[.]xyz
loloysnn[.]xyz
loriallen[.]xyz
louisrduiz[.]xyz
marvinsteele[.]xyz
nanamonavi[.]xyz
nistbipec[.]ga
nonsligi[.]ga
otzyv-tut[.]review
paulabell[.]xyz
pekcari[.]ga
phyllislambert[.]xyz
pickregessi[.]ga
querepobureke[.]ga
rebeccamyers[.]xyz
reelsredtato[.]cf
riadholunpa[.]cf
richardramirez[.]click
robertgarcia[.]xyz
robertmendoza[.]xyz
rodneyvasquez[.]xyz
ronaldmiller[.]xyz
rosebennett1[.]xyz
rosecarter[.]xyz
sarapatton[.]xyz
schooljilteca[.]ga
slimm[.]2022ketonkayal[.]ru[.]com
stapaman[.]ga
titerviconti[.]ga
whetiredpe[.]ga


Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon using the button below

Digital Patreon Wordmark FieryCoralv2

To keep up to date follow us on the below channels.

join
Click Above for Telegram
discord
Click Above for Discord
reddit
Click Above for Reddit
hd linkedin
Click Above For LinkedIn