Threat Research

Malvertising on Microsoft Edge’s News Feed pushes tech support scams

Securonix

Malvertising on the Microsoft Edge News Feed redirects users to tech support scam pages via the Taboola ad network. The operation uses a cloud-based infrastructure and fingerprinting to target victims while avoiding bots or blocks. #Taboola #EdgeNewsFeed #browserlocker #techsupportscam #SumitKalra #MwsSoftwareServices #ondigitalocean

Keypoints

  • Malvertising on the Edge News Feed redirects unsuspecting users to tech support scam pages.
  • The redirection flow involves calling the Taboola API to determine the next URL to load, redirecting the user accordingly.
  • The first response from malicious domains delivers a Base64-encoded JavaScript used to fingerprint visitors and decide if they are targets.
  • The campaign leverages cloud infrastructure with rapidly changing subdomains (ondigitalocean.app), yielding hundreds of hostnames in short time.
  • A long list of malicious landing domains is associated with the campaign, including tissatweb.us and others; Whois data links to Sumit Kalra and Mws Software Services Private Limited.
  • Malwarebytes notes this campaign as one of the largest telemetry-noise campaigns, with protection provided by Browser Guard.

MITRE Techniques

  • [T1189] Drive-by Compromise – The malvertising campaign on the Microsoft Edge News Feed used to redirect victims to tech support scam pages. ‘The malvertising campaign on the Microsoft Edge News Feed used to redirect victims to tech support scam pages.’
  • [T1071.001] Application Layer Protocol – A request to the Taboola ad network is made via an API (api.taboola.com) to honor the click on the ad banner. ‘The server will respond with the next URL to load, with the folling format: document.location.replace(‘https://[scammer domain]/{..}/?utm_source=taboola&utm_medium=referral’)’
  • [T1027] Obfuscated/Compressed Files and Information – The first request to one of those malicious domains retrieves a Base64 encoded JavaScript whose goal is to check the current visitor and determine if they are the potential target. ‘The first request to one of those malicious domains retrieves a Base64 encoded JavaScript…’
  • [T1583] Acquire Infrastructure – The advertisements are backed by cloud infrastructure on ondigitalocean.app with over 200 hostnames in 24 hours. ‘These are subdomains on ondigitalocean.app which are constantly changing; in the span of 24 hours, we collected over 200 different hostnames.’
  • [T1497] Virtualization/Sandbox Evasion – Fingerprinting to avoid detection to only show malicious redirect to selected victims, ignoring bots, VPNs and geolocations. ‘The fingerprinting to avoid detection is interesting… ignoring bots, VPNs and geolocations that are not of interest…’

Indicators of Compromise

  • [Domain] Ad infrastructure domains – feedsonbudget.com, financialtrending.com, and 17 more domains
  • [Domain] Cloud hosting infrastructure – ondigitalocean.app
  • [Email] Registrant Email – [email protected]
  • [Person] Key actor – Sumit Kalra
  • [Organization] Associated company – Mws Software Services Private Limited

Read more: https://www.malwarebytes.com/blog/threat-intelligence/2022/09/microsoft-edges-news-feed-pushes-tech-support-scam