The Malwarebytes investigation uncovers a massive utility scam campaign that uses geo-targeted Google search ads to lure victims into dialing fraudulent numbers or visiting fake energy-insurance sites. The operation relies on a sprawling infrastructure of domains and contact details, and Malwarebytes outlines steps to stay safe and how they’re helping to disrupt it. #Pakistan #FTC #Malwarebytes #GoogleAds #EnergyBilling #UtilityScams
Keypoints
- The scam is carried out through fraudulent ads shown to mobile users, geolocated to the user’s area.
- Ad clicks often prompt a phone call rather than opening a new site, facilitating direct harassment and extortion.
- Criminals redirect victims to seemingly legitimate sites to “prove” credibility and pressure action.
- The operators run a large infrastructure with dozens of domains and templates focused on energy/utility themes.
- Investigators tracked and reported many domains to registrars in hopes of suspension.
- Malwarebytes urges users to avoid search ads, use ad-blocking protection, and follow safety tips to thwart scams.
MITRE Techniques
- [T1189] Drive-by Compromise – Malvertising leads users to fraudulent content via sponsored search results. Quote: “The ads are shown to mobile devices only, which makes sense given how often people use their phones.”
- [T1583] Acquire Infrastructure – The crooks have registered dozens of different domains names and built templates that appear related to energy or utility savings. Quote: “The crooks have registered dozens of different domains names and built templates that appear related to energy or utility savings.”
- [T1036] Masquerading – Fraudulent sites are credible enough to make victims feel they are doing the right thing. Quote: “Those sites are often credible enough for a victim to feel like they are doing the right thing.”
Indicators of Compromise
- [Advertiser Accounts] context – Google advertiser accounts used to run the fraudulent ads; examples include hacked accounts belonging to US entities.
- [Domain] context – scammer domains such as 360billingservices[.]com, aadigital[.]online, billmediums[.]com, and other similar domains (and 2 more domains).
- [Phone Number] context – multiple scam contact numbers used to solicit calls, e.g., 888[-]960[-]3984, 888[-]315[-]9188, and 2 more numbers.