Cybercriminals are hijacking Facebook’s paid ad system in a slick three-step malvertising campaign. This attack tricks users into tech support scams by starting with innocent-looking ads, then redirecting through fake sites to scam landing pages hosted on Microsoft Azure.
Security researchers spotted it targeting US users, with attackers churning through over 100 domains in just seven days active only on weekdays to dodge detection.
The chain begins on Facebook, where ads from a shady advertiser ID lure victims with fake promotions.
Clicking leads to decoy websites posing as everyday businesses, like Italian restaurants. These sites quickly redirect users to malicious pages that claim to offer “tech support” fixes.
Once there, pop-ups and alerts scare victims into calling scammers who demand payment for bogus services. It’s a classic tech support scam (TSS), but the malvertising twist makes it spread fast and hard to block.
This isn’t random spam. Attackers use paid ads to gain credibility, blending in with legitimate Facebook traffic. Domains rotate rapidly, likely via automated scripts, hitting peak hours on business days. Blocks now rely on URL patterns and HTML fingerprints from the pages.
Step 1: Facebook Ad Hook. Victims see targeted ads from Facebook advertiser ID 1202995272012769. Check it yourself at the Facebook Ads Library. Ads promise deals or services, but they’re pure bait no malware download here just a redirect to keep things stealthy.
Step 2: Decoy Landing. Clicks send users to lookalike sites, such as simplydeliciouspairing[.]com, that mimic harmless businesses (e.g., restaurants).
These pages load fast with minimal content a menu or photo to avoid red flags. JavaScript kicks in within seconds, redirecting without user input. It’s seamless, often evading basic ad blockers.
Step 3: Azure-Hosted Scam Page. The final stop is a TSS page on Azure Blob Storage, such as jacquesrocha[.]z13.web[.]core[.]windows[.]net. Here, aggressive pop-ups scream “Your PC is infected!” or “Critical error call now!” Fake alerts mimic Windows dialogs, urging calls to scammer hotlines.
Victims hand over remote access or pay via gift cards/crypto. Azure’s reliability makes these pages uptime-stable, outlasting free hosts.
Researchers tracked over 100 rotated domains in a week, all of which were active on weekdays (Monday-Friday). Patterns include Italian-themed decoys and Azure subdomains like *.z13.web.core.windows.net.
TTPs match known TSS groups, possibly Lazarus-linked or opportunistic crews. No ransomware yet, but escalation risks loom.
According to Gen Threat Labs, defenses focus on proactive blocking. URL signatures catch *.web.core.windows.net redirects; HTML checks spot TSS boilerplate like “virus alert” divs. EDR tools flag pop-up floods; browser extensions like uBlock Origin help consumers.
Key Indicators of Compromise (IOCs):
Patch your browsers, enable pop-up blockers, and report bad ads to Facebook. Enterprises: Tune WAFs for Azure redirects and scan ad traffic.
This campaign shows malvertising’s evolution cheap, scalable, and ad-platform agnostic. Stay vigilant; more variants are likely inbound.Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
Exclusive Cyber Security News platform that provide in-depth analysis about Cyber Attacks, Malware infection, Data breaches, Vulnerabilities, New researches & other Cyber stories.
Contact Us: cyber.press@outlook.com
© Copyright 2024 – Cyber Press
New Malvertising Attack Uses Facebook Ads To Promote Tech Support Scam – Cyber Press
Related Posts
fev 5, 2026
fev 5, 2026
fev 5, 2026
