Within the last few months, a malvertiser has been pushing malicious tech support scam ads to users of Outlook, and other Microsoft owned apps in Windows 10. A cybersecurity study discovered that a Hong Kong-based hacker, known to operate the modus, has been part of a company called “fiber-ads.”
According to the report published by the cybersecurity firm, Confiant, penned by researcher Eliya Stein, the malvertiser is a Hong Kong citizen who operates as an intermediary. This means that those that “own the entire delivery chain, including the monetization after a victim, is infected,” the advertiser they discovered only distribute the scam ads.
“The middle-men provide the delivery mechanism, but from there the trail can get murky very quickly as the ultimate payload probably goes to the highest bidder, or to whomever the malvertiser is partnered with at that particular moment,” reads the Confiant report.
In order to do this, Confiant says that the malvertiser is using two companies to place ads in legitimate ad networks. These companies are named Fiber-Ads and Clockfollow. Much like other malicious ads, hidden codes are run through the ads delivered by the malvertiser and hijack those who view them, redirecting them to malicious, sometimes phishing, sites.
The hacker-malvertiser then use a popular ad-bidding platform called MyMediaAds in order to sell the malicious ads to other threat actors.
“While these incidents are somewhat unique in that they are spawned outside of the confines of a web browser, in-app advertisements are not the only vehicle of delivery for this particular attacker. In fact, this application-based activity is likely just spill over from this bad actor’s already active and disruptive malvertising rampage,” added the researcher.
Furthermore, Confiant discovered that the ad creatives used by the suspect are a “is a subterfuge,” served only to those impressions that don’t pass the targeting criteria as determined by the bad actor’s ad serving domain(s) and is designed to mimic a legitimate tech advertisement.
According to the researchers, just like other malvertisers, the suspect also uses some sort of automation to make sure that the operation runs persistently. Because of the automation mechanism used by the Hong Kong malvertiser, the researchers were able to trace the MO back to over 100 additional domains going all the way back to 2017.
It appears, through a tip received by the researchers that the company, “fiber-ads” has been operating since January 2019, however, as mentioned earlier, they were able to trace its operation back to 2017.
“The fiber-ads profile on MyMediAds reveals an active participant in a gray market where advertisers can transact or form joint ventures with hawkers of cheap inventory that has very questionable provenance,” they added.
With the available data to Confiant, they were able to determine that the malveritising operation has been very “active and persistent.” Their fraudulent campaigns reach ad impressions of 28MM and 14.5MM at some point, and a total of 100MM impressions served this year as of mid-June.
Furthermore, the study reveals that while desktop and mobile devices are targeted in relatively equal quantities, Windows and iOS seemed to be “favored” by the attackers.
Nonetheless, Confiant is unsure how the operation of a middle-man like fiber-rads and Clockfollow play out in the wild. It is also unclear whether the ads they are running are their or they are running it for a partner. What’s clear for the researchers is that the two company has built relationships with ad-bidding platforms like RTB and DSPs, which gives them access to premium traffic and high-quality audiences.
They raise the concern that once the ads from these DSPs are run and are served to audiences, everything can happen – from a redirected site containing an auto-install malware to a full-blown phishing and ransomware attacks.
“The middle-men provide the delivery mechanism, but from there the trail can get murky very quickly as the ultimate payload probably goes to the highest bidder, or to whomever the malvertiser is partnered with at that particular moment,” they added.
“As a parting thought, we would like to suggest that ad tech platforms take extra care to vet their advertisers — and if something smells a bit fishy, like a buyer incorporated in a dodgy jurisdiction, it might be prudent to bypass that business opportunity altogether.”