Malvertising Attack Spreads Malicious Sponsored Content Via Taboola

Matthew Broersma,
HSBC, security, hacking

Attackers are now making use of ‘sponsored content’ networks such as Taboola to insert malicious content into trusted sites, researchers have found

Scammers are increasingly using sponsored content to redirect users toward malicious sites, say researchers.

The trend is a new twist on ‘malvertising‘, which conventionally relies on malicious banner adverts, according to computer security firm Malwarebytes, which gave details on a recent scam uncovered on Microsoft’s MSN.com website.

Content network

The scam relied on authentic-looking content provided via Taboola, which provides sponsored content typically labelled “More stories from around the web” or “You may also like…”

When Malwarebytes’ researcher clicked on a particular Taboola-provided article they were redirected to a tech support scam page displaying a warning that the user’s computer had crashed and providing a telephone number for users to call.

Attackers created a genuine-looking content website
Attackers created a genuine-looking content website to launch the scam

“The fraudulent page cannot be closed normally because it uses code that repeats the warning indefinitely,” wrote Malwarebytes researcher Jérôme Segura in an advisory. “Unfortunately, this is enough to scare many folks and trick them into calling what they think is Microsoft support. Instead, they will be dealing with fake technicians whose goal is to extort hundreds of dollars from them.”

The sophisticated scam involved the creation of a seemingly genuine content website called Infinity Media, similar in appearance to others that provide content via Taboola, Segura said.

In order to entice users to click on its articles the site used tactics similar to those of genuine advertisers, such as researching popular news trends and using search engine optimised keywords.

“The point is to do a little bit of market study on what the most searched for stories or keywords are in order to attract traffic,” Segura wrote.

But in this case, Infinity Media was performing conditional redirects, with certain traffic, such as that from search engine crawlers, being directed to seemingly genuine content, while clicks determined to originate from an ordinary user would be directed toward the tech support scam, Segura said.

Do passwords have a future in cybersecurity?

View Results

Loading ... Loading ...

Domain link

The seemingly genuine content site and the tech support scam page appeared to be completely separate, but Malwarebytes determined they were created by the same attacker by analysing the two sites’ domain registration information.

Researchers found that the email address linked to Infinity Media’s website was also connected to a site called micro-soft-system-alert2, which resolved to an IP address filled with malicious pages, including the one used for the MSN scam.

“This particular actor made the mistake of reusing the same host server for domains he had created before,” Segura wrote.

Like malicious banner ads, scams relying on promoted content work by making use of advertising networks to insert their attacks into the sites of trusted sites such as MSN.com, Segura said.

“Users should be aware that even on a trusted platform, they should watch what they click on and be careful of sensationalist stories that may be used as click bait,” he wrote.

Do you know all about security in 2017? Try our quiz!