While Google Chrome still dominates as the top browser, Microsoft Edge, which is based on the Chromium source code, is gradually gaining more users. Perhaps more importantly, it is the default browser on the Microsoft Windows platform and as such some segments of its user base are of particular interest to fraudsters.
We have tracked and observed a malvertising campaign on the Microsoft Edge News Feed used to redirect victims to tech support scam pages. The scheme is simple and relies on threat actors inserting their advertisements on the Edge home page and trying to lure users with shocking or bizarre stories.
In this blog post, we raise awareness and expose this scam operation that has been going on for at least two months.
Overview
The Microsoft Edge News Feed is a collection of thumbnails alternating between news content, traffic updates and advertisements. We have identified several ads that are malicious and redirect unsupecting users to tech support scams.
The redirection flow can be summarized in the diagram below:
Technical details
When a user clicks on one of the malicious ads, a request to the Taboola ad network is made via an API (api.taboola.com) to honor the click on the ad banner. The server will respond with the next URL to load, with the folling format:
document.location.replace('https:\/\/[scammer domain]\/{..}\/?utm_source=taboola&utm_medium=referral
The first request to one of those malicious domains retrieves a Base64 encoded JavaScript whose goal is to check the current visitor and determine if they are the potential target.
An original version of this script can be found here, while a beautified version can be found here.
The goal of this script is to only show the malicious redirection to potential victims, ignoring bots, VPNs and geolocations that are not of interest that are instead shown a harmless page related to the advert.
This scheme is meant to trick innocent users with fake browser locker pages, very well known and used by tech support scammers. What's worth noticing is the cloud infrastructure that is being leveraged here, making it very difficult to block.
These are subdomains on ondigitalocean.app which are constantly changing; in the span of 24 hours, we collected over 200 different hostnames.
Infrastructure
The advertisements displayed on the Edge News Feed are linked with the following domains (this list is not exhaustive):
-
feedsonbudget[.]com
-
financialtrending[.]com
-
foddylearn[.]com
-
glamorousfeeds[.]com
-
globalnews[.]cloud
-
hardwarecloseout[.]com
-
humaantouch[.]com
-
mainlytrendy[.]com
-
manbrandsonline[.]com
-
polussuo[.]com
-
newsagent[.]quest
-
newsforward[.]quest
-
puppyandcats[.]online
-
thespeedoflite[.]com
-
tissatweb[.]us
-
trendingonfeed[.]com
-
viralonspot[.]com
-
weeklylive[.]info
-
everyavenuetravel[.]site
One of the domains,tissatweb[.]us, which was also publicly reported for hosting a browser locker has interesting whois data:
Registrant Email: [email protected][.]com
That email address is associated with the following additional domains:
- tissat[.]us
- mvpconsultant[.]us
- aksconsulting[.]us
- furnitureshopone[.]us
- minielectronic[.]in
- antivirusphonenumber[.]org
- quickbooktechnicalsupport[.]org
- printertechnicahelp[.]com
- comsecurityessentials[.]support
- decfurnish[.]com
- netsecurity-essential[.]com
- mamsolutions[.]us
- mamsolution[.]us
- a-techsolutions[.]us
The email address belongs to an individual named Sumit Kalra who is listed as a director for Mws Software Services Private Limited, a company located in Delhi whose principal business activity is "Computer and related activities".
Protection
This particular campaign is currently one of the biggest we are seeing in terms of telemetry noise.
The fingerprinting to avoid detection is interesting and more sophisticated than usual. We will continue to expose and report abusive infrastructure used for scams.
Malwarebytes users were already protected against this tech support scam thanks to our Browser Guard extension.