Malicious actors have substantially evolved the use of fake alert scams in recent years, in particular, the increasing targeting of mobile users, according to a new report by
Sophos.
The investigation, authored by Sean Gallagher, senior threat researcher at Sophos, found that “a vast majority” of the fake alerts in malvertising networks targeted mobile users. This is partly because mobile has become a greater source of internet traffic, but these devices also offer easier modes of attack compared to desktop. For instance, iOS Safari’s accessibility function allows pop-up ads to make phone calls to lure victims to a dodgy app on the corresponding app store without scammers needing to cold call or voice-phish victims.
Gallagher added that most of the iOS fake alerts discovered were linked to App Store listings for a group of apps that claimed to be virtual private networking and site blocker tools. These apps all included in-app purchases, requiring payments to be made following a trial period.
The study also observed that desktop tech support scam operations have evolved over the past decade, primarily shifting from call center cold calls to more automated targeting techniques. These include pull-based attacks based on Google search ads and search engine optimization, vishing campaigns prompting the target to call back and email or text phishing campaigns to lure targets to a fraudulent website.
In addition, it was highlighted how malicious alerts masquerading as pop-up/pop-under ads, such as PopCash.net and PopAds.net, are being routed through legitimate advertising networks. They are therefore able to slip through as blocking them would substantially disrupt these advertising networks’ business models.
