A new cyber threat is utilizing Facebook’s paid advertising platform to target users, presenting significant challenges to online security. Leveraging malvertising, attackers circumvent traditional security measures to deliver harmful content to unsuspecting individuals.
Understanding the Malvertising Strategy
This latest campaign employs a complex three-step malvertising chain to mislead users, ultimately drawing them into a tech support scam. The process begins when a user interacts with a misleading advertisement on their social media feed. Instead of being directed to a legitimate site, users are redirected through a sequence of deceptive webpages.
The initial redirection leads to a fake website resembling an Italian restaurant page, strategically placed as a buffer to evade automated detection systems. This step is crucial in masking the malicious intent of the campaign.
Uncovering the Threat’s Mechanics
The final phase of the attack brings users to a fraudulent landing page hosted on Microsoft Azure, designed to mimic legitimate system alerts. This tactic is intended to alarm users into contacting a fake support line, under the false impression that their device is compromised.
Gen Threat Labs researchers have highlighted the campaign’s targeted approach, noting its exclusive focus on users in the United States. The attackers frequently change their infrastructure, rotating over 100 domains in a mere seven days, predominantly during weekdays to maximize impact.
Exploiting Trusted Platforms
A distinctive feature of this campaign is its exploitation of trusted cloud services to disguise malicious activities. By hosting scam pages on Azure and using legitimate subdomains, attackers make it difficult to implement broad mitigation measures without affecting valid services.
The use of the simplydeliciouspairing[.]com decoy site further complicates detection, as it ensures only genuine browser interactions lead to the scam. This strategy, combined with rapid domain rotation, enables the campaign to evade static blocklists effectively.
Users are advised to exercise caution with social media advertisements, verifying URLs before engagement and remaining alert to unexpected redirects. Security teams should block recognized indicators of compromise and monitor for unusual traffic patterns involving Azure subdomains.
Stay updated by following us on Google News, LinkedIn, and X. Set CSN as a preferred source on Google for more insights.
