A malvertising campaign exploiting Black Friday shopping interest redirects Google users searching for Walmart to tech support scam pages, using cloaking and disposable domains to hide malicious intent. Malwarebytes reported the activity to Google, highlighting a large-scale effort to monetize clicks and deploy scareware. #Walmart #Malvertising #TechSupportScam #DriveByCompromise #Masquerading
Keypoints
- Malvertising campaign run via Google ads targeting Walmart-related searches, with thousands of hits recently observed.
- The redirect chain begins after a user clicks a search result ad, leading to a malicious tech support scam page.
- Dozens of advertiser domains are used for malvertising, including cloaked domains designed to evade blocking.
- Cloaking hides the malicious page by presenting a legitimate-looking Walmart URL to some users, while others are redirected to the scam page.
- Tech support scam pages use audio warnings to frighten users and solicit remote access to steal money.
- Click monetization and ad-driven redirection are central to monetizing the scam, with users often clicking the ad over direct site visits.
- Google was notified and Malwarebytes shared findings with Google to mitigate the campaign.
MITRE Techniques
- [T1189] Drive-by Compromise – Malicious ads redirect users from search results to scam pages; the article notes: ‘the Google link itself creates a series of redirects. We can finally see the destination URL (advertiser’s domain which is nveswillrema[.]ga).’
- [T1566.002] Phishing: Spearphishing Link – Attackers leverage search ads to lure victims to a malicious page: ‘first the user searches for the word ‘walmart’ in Google. Based on their location and other factors (cookies, etc.) a malicious ad may be displayed at the top.’
- [T1036] Masquerading – The ad visually looks legitimate by displaying what appears to be the official Walmart URL: ‘Visually the advert looks legitimate as it appears to display the official website URL, although as we’ll come to see that does not mean anything.’
- [T1204.001] User Execution – The scam relies on user action to engage further: ‘Bogus tech support agents are at the ready for you to let them gain remote access to your computer.’
Indicators of Compromise
- [Domain] Domains used by the advertiser – 1keto[.]2022ketoabsolut[.]ru[.]com, 1ketogo[.]shop, 2022ketoabsolut[.]ru[.]com, angelbakery[.]cfd, barnevebarjekind[.]ga, and many more domains