A new, sophisticated malvertising campaign targeting users in the United States. This attack leverages Facebook’s massive paid advertising platform to lure victims into a tech support scam (TSS) kit.
The campaign is notable for its rapid infrastructure rotation and a distinct three-step redirection chain designed to bypass standard security filters.
The attack begins with a paid advertisement on Facebook. These ads appear legitimate at first glance, often masquerading as harmless content to blend into a user’s social media feed. Once a user clicks the advertisement, the three-step chain is initiated:
This campaign is highly active and specifically targets users located in the US. Analysis of the threat actor’s activity reveals an aggressive domain rotation strategy in malvertising chain.
Over a period of just seven days, the attackers rotated through more than 100 unique domains.
Interestingly, the campaign appears to follow a “business hours” schedule, with activity primarily observed during weekdays. This suggests a manually managed operation rather than a fully automated botnet.
The use of Azure static web hosting allows the attackers to deploy professional-looking landing pages quickly.
These pages typically display fake system warnings, claiming the user’s computer is infected with malware and urging them to call a fraudulent support number.
Security teams have successfully blocked this campaign using a combination of URL pattern matching and HTML signature analysis.
The reliance on Azure subdomains (web.core.windows.net) combined with specific scripts found on the landing pages provides a consistent signature for detection.
Users are advised to exercise caution when interacting with sponsored content on social media platforms.
Organizations should update their web filtering rules to scrutinize redirects originating from social media ads, particularly those leading to generic cloud hosting subdomains.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
Hot this week
GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.
Company
Trending
Categories
Copyright @ 2016 – 2025 GBHackers On Security – All Rights Reserved
