A sophisticated new 3-step malvertising chain is abusing Facebook paid ads to push a tech support scam (TSS) kit, posing a significant risk to individual cybersecurity in the United States. Malicious actors are increasingly weaponizing social media ads to bypass traditional security filters and deliver harmful content to unsuspecting victims. This latest campaign orchestrates a complex, three-step malvertising chain designed to deceive users and funnel them into a fraudulent technical support scheme.
The attack vector initiates when a user interacts with a paid advertisement displayed on their social feed. Instead of directing traffic to a legitimate business, the ad triggers a redirection sequence. The victim is first routed to a decoy website, specifically designed to mimic an Italian restaurant page, which acts as a crucial buffer. This intermediate step is intended to evade automated detection scanners that might otherwise flag a direct link to a malicious site. Once past this initial filter, the user is forwarded to the final destination: a fraudulent landing page engineered to instill panic.
Gen Threat Labs analysts identified this specific activity, highlighting its highly targeted nature and the attackers’ rapid infrastructure rotation. According to the researchers, the campaign is exclusively targeting users in the United States and operates with a distinct temporal pattern. To maintain persistence and avoid blacklisting, the threat actors reportedly rotated through more than 100 unique domains in a seven-day period. This activity was observed primarily on weekdays, suggesting the attackers are operating on a professional schedule, likely to maximize their reach during peak user engagement hours.
Evasion Through Legitimate Infrastructure in Malvertising
The most defining characteristic of this malvertising campaign is its abuse of trusted cloud services to mask malicious intent. The final stage of this chain deposits the victim onto a landing page hosted on Microsoft Azure’s cloud infrastructure. By leveraging legitimate subdomains such as *.web.core.windows.net, the scammers lend a veneer of authenticity to their fraudulent alerts. These pages typically mimic official system warnings, falsely claiming the user’s device is compromised to coerce them into calling a fake support hotline. Hosting the TSS landing pages on Azure complicates mitigation efforts, as broad blocking of the core Windows domain would disrupt valid services.
Additionally, the use of the precisely crafted decoy site further obfuscates the attack flow, ensuring that only real browser interactions reach the scam kit. This tactic, often referred to as “living off the land,” combined with the high volume of domain rotation, allows the campaign to effectively slip past static blocklists and signature-based detection systems. The attackers are exploiting the trust associated with reputable cloud providers and legitimate-looking website templates to ensnare their targets.
The implications of this escalating cyber threat are significant. Users are strongly advised to exercise extreme caution when clicking on social media advertisements. Verifying URL destinations before interacting with content and being wary of unexpected redirects are crucial preventive measures. Security teams should implement blocks for the identified indicators of compromise (IOCs) and maintain vigilance for similar anomalous traffic patterns involving Azure subdomains. Continued monitoring of these evolving malvertising techniques will be essential for bolstering defenses against such sophisticated attacks. The ongoing exploitation of legitimate platforms underscores the perpetual cat-and-mouse game between cybercriminals and security researchers.