Malvertising on Microsoft Edge's News Feed pushes tech support scams


  • Staff
While Google Chrome still dominates as the top browser, Microsoft Edge, which is based on the Chromium source code, is gradually gaining more users. Perhaps more importantly, it is the default browser on the Microsoft Windows platform and as such some segments of its user base are of particular interest to fraudsters.

We have tracked and observed a malvertising campaign on the Microsoft Edge News Feed used to redirect victims to tech support scam pages. The scheme is simple and relies on threat actors inserting their advertisements on the Edge home page and trying to lure users with shocking or bizarre stories.

In this blog post, we raise awareness and expose this scam operation that has been going on for at least two months.

Overview​

The Microsoft Edge News Feed is a collection of thumbnails alternating between news content, traffic updates and advertisements. We have identified several ads that are malicious and redirect unsupecting users to tech support scams.

The redirection flow can be summarized in the diagram below:

easset_upload_file28463_236422_e.png


Technical details​

When a user clicks on one of the malicious ads, a request to the Taboola ad network is made via an API (api.taboola.com) to honor the click on the ad banner. The server will respond with the next URL to load, with the folling format:

document.location.replace('https:\/\/[scammer domain]\/{..}\/?utm_source=taboola&utm_medium=referral

The first request to one of those malicious domains retrieves a Base64 encoded JavaScript whose goal is to check the current visitor and determine if they are the potential target.

easset_upload_file33872_236422_e.png


An original version of this script can be found here, while a beautified version can be found here.

The goal of this script is to only show the malicious redirection to potential victims, ignoring bots, VPNs and geolocations that are not of interest that are instead shown a harmless page related to the advert.

This scheme is meant to trick innocent users with fake browser locker pages, very well known and used by tech support scammers. What's worth noticing is the cloud infrastructure that is being leveraged here, making it very difficult to block.

easset_upload_file53027_236422_e.png


These are subdomains on ondigitalocean.app which are constantly changing; in the span of 24 hours, we collected over 200 different hostnames.

Infrastructure​

The advertisements displayed on the Edge News Feed are linked with the following domains (this list is not exhaustive):
  • feedsonbudget[.]com
  • financialtrending[.]com
  • foddylearn[.]com
  • glamorousfeeds[.]com
  • globalnews[.]cloud
  • hardwarecloseout[.]com
  • humaantouch[.]com
  • mainlytrendy[.]com
  • manbrandsonline[.]com
  • polussuo[.]com
  • newsagent[.]quest
  • newsforward[.]quest
  • puppyandcats[.]online
  • thespeedoflite[.]com
  • tissatweb[.]us
  • trendingonfeed[.]com
  • viralonspot[.]com
  • weeklylive[.]info
  • everyavenuetravel[.]site
One of the domains,tissatweb[.]us, which was also publicly reported for hosting a browser locker has interesting whois data:

Registrant Email: sumitkalra1683@gmail[.]com

That email address is associated with the following additional domains:
  • tissat[.]us
  • mvpconsultant[.]us
  • aksconsulting[.]us
  • furnitureshopone[.]us
  • minielectronic[.]in
  • antivirusphonenumber[.]org
  • quickbooktechnicalsupport[.]org
  • printertechnicahelp[.]com
  • comsecurityessentials[.]support
  • decfurnish[.]com
  • netsecurity-essential[.]com
  • mamsolutions[.]us
  • mamsolution[.]us
  • a-techsolutions[.]us
The email address belongs to an individual named Sumit Kalra who is listed as a director for Mws Software Services Private Limited, a company located in Delhi whose principal business activity is "Computer and related activities".

Protection​

This particular campaign is currently one of the biggest we are seeing in terms of telemetry noise.

easset_upload_file46261_236422_e.png


The fingerprinting to avoid detection is interesting and more sophisticated than usual. We will continue to expose and report abusive infrastructure used for scams.

Malwarebytes users were already protected against this tech support scam thanks to our Browser Guard extension.

Source:
 

Attachments

  • Microsoft_Edge.png
    Microsoft_Edge.png
    11.2 KB · Views: 1
Trust.png
 

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦22631.3374 ♦♦♦♦♦♦♦23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 4702)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Internet Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Mouse
    Logitech Optical M-BT96a
    Keyboard
    Logitech Classic Keybooard 200
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 13 years?

My Computer

System One

  • OS
    Win 11 Pro 23H2 Beta 22635.3350, Features 22688, Stack 1212.2309.20012
    Computer type
    PC/Desktop
    Manufacturer/Model
    Asus MiniPC PN51-E1
    CPU
    AMD Ryzen 7 5700U
    Motherboard
    Asus PN51-E1 - Bios Version 0505
    Memory
    Crucial 64GB DDR4 SDRAM PC4-25600
    Graphics Card(s)
    AMD Radeon Vega Graphics 1.80 GHz - Adrenalin Edition 23.9.2
    Sound Card
    AMD G27QC A out to Foss Audio Class D Amp
    Monitor(s) Displays
    Gigabyte 27" 165 hertz
    Screen Resolution
    2560 x 1440
    Hard Drives
    Samsung SSD 970 EVO Plus 2TB PCIE NVME
    PSU
    65 Watt
    Case
    Asus Mini
    Cooling
    Air
    Keyboard
    Logitech K810
    Mouse
    Logitech MX Master 2S
    Internet Speed
    Telstra Modem Wifi - NBN 50/18
    Browser
    Firefox
    Antivirus
    Microsoft
    Other Info
    This replaced my Linux Notebook. I've used Windows since V2, tried various Linux distros but Windows continues to win for me.
Thanks, Shawn.
Further to that, the number of suspicious looking (too me) sources grows daily. I've been deleting everything that I don't want/like, keeping to mainstream sources but it's a losing battle!
 

My Computer

System One

  • OS
    Win 11 Pro 23H2 Beta 22635.3350, Features 22688, Stack 1212.2309.20012
    Computer type
    PC/Desktop
    Manufacturer/Model
    Asus MiniPC PN51-E1
    CPU
    AMD Ryzen 7 5700U
    Motherboard
    Asus PN51-E1 - Bios Version 0505
    Memory
    Crucial 64GB DDR4 SDRAM PC4-25600
    Graphics Card(s)
    AMD Radeon Vega Graphics 1.80 GHz - Adrenalin Edition 23.9.2
    Sound Card
    AMD G27QC A out to Foss Audio Class D Amp
    Monitor(s) Displays
    Gigabyte 27" 165 hertz
    Screen Resolution
    2560 x 1440
    Hard Drives
    Samsung SSD 970 EVO Plus 2TB PCIE NVME
    PSU
    65 Watt
    Case
    Asus Mini
    Cooling
    Air
    Keyboard
    Logitech K810
    Mouse
    Logitech MX Master 2S
    Internet Speed
    Telstra Modem Wifi - NBN 50/18
    Browser
    Firefox
    Antivirus
    Microsoft
    Other Info
    This replaced my Linux Notebook. I've used Windows since V2, tried various Linux distros but Windows continues to win for me.

Latest Support Threads

Back
Top Bottom