A new, sophisticated malvertising campaign targeting users in the United States. This attack leverages Facebook’s massive paid advertising platform to lure victims into a tech support scam (TSS) kit.
The campaign is notable for its rapid infrastructure rotation and a distinct three-step redirection chain designed to bypass standard security filters.
The attack begins with a paid advertisement on Facebook. These ads appear legitimate at first glance, often masquerading as harmless content to blend into a user’s social media feed. Once a user clicks the advertisement, the three-step chain is initiated:
- The Facebook Ad: The initial vector is a sponsored post on Facebook. By paying for placement, threat actors ensure their malicious links appear in the feeds of specifically targeted demographics.
- The Decoy Site: Upon clicking the ad, the user is not immediately sent to a malicious page. Instead, they are redirected to a decoy website. In this specific campaign, the decoy is themed as an Italian restaurant. This intermediate step serves as a buffer to evade automated crawlers that might flag direct links to scam pages.
- The Final Payload: The decoy site automatically redirects the victim to the final destination: a tech support scam landing page. These pages are hosted on Microsoft Azure cloud infrastructure, utilizing the *.web.core.windows.net domain structure. Hosting the scam on a legitimate service like Azure adds a layer of trust and makes domain-based blocking more difficult for security vendors.
Infrastructure and Targeting
This campaign is highly active and specifically targets users located in the US. Analysis of the threat actor’s activity reveals an aggressive domain rotation strategy in malvertising chain.
Over a period of just seven days, the attackers rotated through more than 100 unique domains.
Interestingly, the campaign appears to follow a “business hours” schedule, with activity primarily observed during weekdays. This suggests a manually managed operation rather than a fully automated botnet.
The use of Azure static web hosting allows the attackers to deploy professional-looking landing pages quickly.
These pages typically display fake system warnings, claiming the user’s computer is infected with malware and urging them to call a fraudulent support number.
Mitigations
Security teams have successfully blocked this campaign using a combination of URL pattern matching and HTML signature analysis.
The reliance on Azure subdomains (web.core.windows.net) combined with specific scripts found on the landing pages provides a consistent signature for detection.
Users are advised to exercise caution when interacting with sponsored content on social media platforms.
Organizations should update their web filtering rules to scrutinize redirects originating from social media ads, particularly those leading to generic cloud hosting subdomains.
IOCs
| Indicator Value | Type | Context/Description |
|---|---|---|
hxxtps[:]//www.facebook[.]com/ads/library/?id=1202995272012769 | URL | Malicious Facebook Advertiser Profile (Ad Library source). |
simplydeliciouspairing[.]com | Domain | Decoy / Intermediate Redirect Page. |
jacquesrocha[.]z13.web.core[.]windows[.]net | Hostname | Technical Support Scam (TSS) Landing Page (Azure Storage). |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.