Categories: Security

Malvertising Attack Spreads Malicious Sponsored Content Via Taboola

Scammers are increasingly using sponsored content to redirect users toward malicious sites, say researchers.

The trend is a new twist on ‘malvertising‘, which conventionally relies on malicious banner adverts, according to computer security firm Malwarebytes, which gave details on a recent scam uncovered on Microsoft’s website.

Content network

The scam relied on authentic-looking content provided via Taboola, which provides sponsored content typically labelled “More stories from around the web” or “You may also like…”

When Malwarebytes’ researcher clicked on a particular Taboola-provided article they were redirected to a tech support scam page displaying a warning that the user’s computer had crashed and providing a telephone number for users to call.

Attackers created a genuine-looking content website to launch the scam

“The fraudulent page cannot be closed normally because it uses code that repeats the warning indefinitely,” wrote Malwarebytes researcher Jérôme Segura in an advisory. “Unfortunately, this is enough to scare many folks and trick them into calling what they think is Microsoft support. Instead, they will be dealing with fake technicians whose goal is to extort hundreds of dollars from them.”

The sophisticated scam involved the creation of a seemingly genuine content website called Infinity Media, similar in appearance to others that provide content via Taboola, Segura said.

In order to entice users to click on its articles the site used tactics similar to those of genuine advertisers, such as researching popular news trends and using search engine optimised keywords.

“The point is to do a little bit of market study on what the most searched for stories or keywords are in order to attract traffic,” Segura wrote.

But in this case, Infinity Media was performing conditional redirects, with certain traffic, such as that from search engine crawlers, being directed to seemingly genuine content, while clicks determined to originate from an ordinary user would be directed toward the tech support scam, Segura said.

Loading ...

Domain link

The seemingly genuine content site and the tech support scam page appeared to be completely separate, but Malwarebytes determined they were created by the same attacker by analysing the two sites’ domain registration information.

Researchers found that the email address linked to Infinity Media’s website was also connected to a site called micro-soft-system-alert2, which resolved to an IP address filled with malicious pages, including the one used for the MSN scam.

“This particular actor made the mistake of reusing the same host server for domains he had created before,” Segura wrote.

Like malicious banner ads, scams relying on promoted content work by making use of advertising networks to insert their attacks into the sites of trusted sites such as, Segura said.

“Users should be aware that even on a trusted platform, they should watch what they click on and be careful of sensationalist stories that may be used as click bait,” he wrote.

Do you know all about security in 2017? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Amazon Alexa Recovers After Morning Outage

Alexa wake up alarm didn't work this morning? Smart lights didn't turn on? Outage of…

13 hours ago

UK, Australia Reach Cyber, Critical Tech Agreement

Australia says it will 'fight back' against nation state cyberattacks, after agreements with the UK…

13 hours ago

Italian Regulator Recalculates Apple, Amazon Fines

Italian regulator admits it has redetermined the fines against Apple and Amazon, over the sale…

1 day ago

Red Cross ‘Appalled’ As Hackers Steal Humanitarian Data Of 515,000 People

A new low. International Committee of the Red Cross shuts down reunification system, after hackers…

1 day ago

Russia Proposes Ban On Cryptocurrencies, Crypto Mining

Russia's central bank has this week proposed the banning on the use and mining of…

1 day ago