Categories: Security

Malvertising Attack Spreads Malicious Sponsored Content Via Taboola

Scammers are increasingly using sponsored content to redirect users toward malicious sites, say researchers.

The trend is a new twist on ‘malvertising‘, which conventionally relies on malicious banner adverts, according to computer security firm Malwarebytes, which gave details on a recent scam uncovered on Microsoft’s website.

Content network

The scam relied on authentic-looking content provided via Taboola, which provides sponsored content typically labelled “More stories from around the web” or “You may also like…”

When Malwarebytes’ researcher clicked on a particular Taboola-provided article they were redirected to a tech support scam page displaying a warning that the user’s computer had crashed and providing a telephone number for users to call.

Attackers created a genuine-looking content website to launch the scam

“The fraudulent page cannot be closed normally because it uses code that repeats the warning indefinitely,” wrote Malwarebytes researcher Jérôme Segura in an advisory. “Unfortunately, this is enough to scare many folks and trick them into calling what they think is Microsoft support. Instead, they will be dealing with fake technicians whose goal is to extort hundreds of dollars from them.”

The sophisticated scam involved the creation of a seemingly genuine content website called Infinity Media, similar in appearance to others that provide content via Taboola, Segura said.

In order to entice users to click on its articles the site used tactics similar to those of genuine advertisers, such as researching popular news trends and using search engine optimised keywords.

“The point is to do a little bit of market study on what the most searched for stories or keywords are in order to attract traffic,” Segura wrote.

But in this case, Infinity Media was performing conditional redirects, with certain traffic, such as that from search engine crawlers, being directed to seemingly genuine content, while clicks determined to originate from an ordinary user would be directed toward the tech support scam, Segura said.

Loading ...

Domain link

The seemingly genuine content site and the tech support scam page appeared to be completely separate, but Malwarebytes determined they were created by the same attacker by analysing the two sites’ domain registration information.

Researchers found that the email address linked to Infinity Media’s website was also connected to a site called micro-soft-system-alert2, which resolved to an IP address filled with malicious pages, including the one used for the MSN scam.

“This particular actor made the mistake of reusing the same host server for domains he had created before,” Segura wrote.

Like malicious banner ads, scams relying on promoted content work by making use of advertising networks to insert their attacks into the sites of trusted sites such as, Segura said.

“Users should be aware that even on a trusted platform, they should watch what they click on and be careful of sensationalist stories that may be used as click bait,” he wrote.

Do you know all about security in 2017? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Bitcoin Value Reaches $63,000 Record High

The value of the Bitcoin cryptocurrency continues to fluctuate, but has now surpassed $63,000 in…

10 hours ago

Iran’s Natanz Cyberattack Blamed On Israel

Second Stuxnet? Iran's Natanz nuclear facility suffered another cyberattack at the weekend, with the finger…

11 hours ago

Google Founders Larry Page, Sergey Brin Personal Fortune Grows

Share surge in Alphabet over the past year allows founders Larry Page and Sergey Brin…

13 hours ago

Apple Teases New Devices With ‘Spring Loaded’ Event

New devices to be revealed next week may include new iPads, AirTags, or even augmented…

15 hours ago

Chip Shortage – Renault To Extend Idle Factories Until September

Three of Renault's four car factories in Spain will be partly idled until end of…

17 hours ago

NHS Website Crashes Briefly Amid Rush For Vaccine Bookings

After the government authorises Covid-19 vaccines for over 45s, NHS booking website crashes briefly under…

18 hours ago