Cybercriminals Exploit Facebook Ads in Sophisticated Three-Step Malvertising Scheme
A new cyber threat has emerged, leveraging Facebook’s paid advertising platform to execute a complex, three-step malvertising campaign. This scheme aims to deceive users and funnel them into a technical support scam (TSS) kit, posing significant risks to individual cybersecurity.
Step 1: Initiation via Facebook Paid Ads
The attack begins when a user interacts with a paid advertisement on Facebook. Instead of directing the user to a legitimate business, the ad initiates a redirection sequence. The user is first routed to a decoy website designed to resemble an Italian restaurant page. This intermediary step serves as a buffer to evade automated detection systems that might flag direct links to malicious sites.
Step 2: Redirection to Decoy Site
Upon clicking the ad, the user is redirected to the decoy site, which appears harmless and relevant. This site acts as a filter, ensuring that only real browser interactions proceed to the next stage, thereby bypassing security scanners.
Step 3: Final Destination – Malicious Landing Page
The user is then forwarded to a fraudulent landing page hosted on Microsoft Azure’s cloud infrastructure. By utilizing legitimate subdomains such as `web.core.windows.net`, the scammers lend an air of authenticity to their fraudulent alerts. These pages typically mimic official system warnings, falsely claiming the device is compromised to coerce victims into calling a fake support hotline.
Evasion Tactics and Infrastructure Rotation
Analysts at Gen Threat Labs identified this campaign, noting its highly targeted nature and rapid infrastructure rotation. The attackers focus exclusively on users in the United States and operate primarily on weekdays, suggesting a professional schedule aimed at maximizing reach during peak usage hours. To maintain persistence and avoid blacklisting, the threat actors rotated through more than 100 unique domains in just seven days.
Abuse of Trusted Cloud Services
A defining characteristic of this campaign is its abuse of trusted cloud services to mask malicious intent. By hosting the TSS landing pages on Azure, the attackers complicate mitigation efforts, as broad blocking of the core Windows domain would disrupt valid services. The use of the decoy site further obfuscates the attack flow, ensuring that only real browser interactions reach the scam kit. This living off the land strategy, combined with the high volume of domain rotation, allows the campaign to effectively evade static blocklists and signature-based detection.
Recommendations for Users and Security Teams
Users are strongly advised to exercise caution when clicking on social media advertisements. Verify URL destinations before interacting with content and be wary of unexpected redirects. Security teams should implement blocks for the identified indicators of compromise (IOCs) and monitor for similar anomalous traffic patterns involving Azure subdomains.
