A group behind the recent outbreaks of malicious advertisements being displayed through Windows 10 apps and Microsoft games has been identified as being based out of Hong Kong. This group is behind millions of advertisements that redirect users to scams, malware, and adware bundles.
In April and June of this year, BleepingComputer reported on how French and German users were being targeted by malvertising that displayed tech support scams, phishing pages, and fake sweepstakes. What was making this attack unusual was that the ads were being displayed in free Microsoft games and Windows 10 apps that allowed them to escape the app and launch unwanted sites in a user’s default browser.
According to a report shared with BleepingComputer, advertising security company Confiant discovered a Hong Kong based advertiser that was creating corporate identities to partner with DSPs (demand-side platforms). It would then distribute their low quality and often malicious ads through the DSPs to other ad networks and publishers.
“In March 2019, we were fortunate to receive some feedback from one of our platform customers regarding a campaign that fit the attribution model for this attacker. We were told that the buyer, “fiber-ads”, has been active as of January 2019,” Confiant security engineer and researcher Eliya Stein stated in their report. “We were able to confirm this exact buyer with multiple platform partners as well. We were also told that they recently pivoted to a new corporate identity, “Clickfollow”.”
In addition to directly partnering with DSPs, “fiber-ads” was also a participant in the advertising marketplace MyMediAds.
In the image below, Confiant shows how this malvertiser was actively looking for access to premium exchanges and self-service platforms. They were also looking to advertise gift card, free Samsung or iPhone, and sweepstakes scams.
This malvertising group has been very successful, with over 100 million ads shown in 2019 alone and their two biggest peaks being in May 2019 and June 2019. The May campaign occurred around the same time frame that French users were reporting seeing these ads and June corresponds to when German users were reporting them.
“When visualized, campaign volumes associated with this attribution model paint a picture of a very active and persistent malvertiser. The two peaks below are approximately 28MM and 14.5MM impressions respectively with over 100MM impressions served this year as of mid June.”
Currently, the malvertising campaigns from this group are being monitored and blocked by Confiant, but the advertising security company warns that advertisers need to do better job in vetting their advertisers and if something feels at all off, they should avoid business opportunity.
“As a parting thought, we would like to suggest that ad tech platforms take extra care to vet their advertisers — and if something smells a bit fishy, like a buyer incorporated in a dodgy jurisdiction, it might be prudent to bypass that business opportunity altogether.”
Malvertising led to scams and malware
The malvertising campaigns were not being distributed solely to target Windows 10 apps and Microsoft Games. Instead they were targeting a particular subset of users and as Microsoft apps can be monetized with in-app ads, they were being displayed there as well.
When a user was served an ad from one of these malvertising campaign, the malvertiser’s ad server would determine if they were a user they wished to target with a scam ad.
If not, the user was shown a generic fake ad, but if the user was one being targeted, the ad code would automatically redirect the user to a scam page that showed sweepstake, free phone, and tech support scams.
Examples of the types of scams a mobile user may have seen are shown below.
In addition to tech support scams and free products, desktop users would also be shown more malicious payloads in the form of pages that push unwanted security programs and adware bundles.
As always, users should never download any software from a web site stating that a risk or security issue has been found. These commonly lead to malware and fake security software being installed on a computer.