A current malvertisement campaign is pushing ads in MS Edge’s news feed to redirect visitors to tech support scam websites. Edge is the ongoing default web browser on devices that runs the Windows OS and currently has a 4.3% market share globally.
The tech scam campaign has been operating for a couple of months now. According to an intelligence team, this attack is the most extensive campaign since it generates a lot of noise in the telemetry.
The scale of the campaign is not surprising for the researchers since the threat actors are switching between hundreds of ondigitalocean[.]app subdomains to keep their scam pages within 24 hours.
The compromised ads that the threat actors inject into Edge’s timeline are also connected to more domains. One known domain is called tissatweb[.]us, which is notorious for hosting a browser locker in the past.
The redirection route used to send Edge visitors begins with a check of the target’s web browsers for multiple settings, such as time zone, to decide if they are worth targeting. If not, the actors will send the user to a decoy page.
The actors use an ad network to redirect their target to their tech support scam domain.
Based on reports, the threat actors use the Taboola ad network to load a base64 encoded JS script design to redirect their targets to the tech support scam domain. The JavaScript script is developed to filter and select the potential victims.
The scheme was made to deceive innocent users with phoney browser locker pages and is known by tech support scammers.
The researchers disclosed that if a target contacts the scammer’s phone number, it would lock the target’s computer using numerous techniques or tell them that their device is infected and must purchase a support license.
However, once they connect themselves to the targeted computer for the alleged support, the scammers will attempt to convince their victims to purchase their expensive tech support contract that offers nothing.