An ongoing malvertising campaign is injecting ads in the Microsoft Edge News Feed to redirect potential victims to websites pushing tech support scams.
Microsoft Edge is currently the default web browser on computers running the Windows operating system and it currently has a 4.3% market share worldwide, according to
Statcounter's Global Stats.
This scam operation has been running for at least two months, according to Malwarebytes' Threat Intelligence Team, who said this is one of the most extensive campaigns at the moment based on the amount of telemetry noise it generates.
This is not surprising considering its scale, with the attackers switching between hundreds of ondigitalocean.app subdomains to host their scam pages within a single day.
The several malicious ads they're injecting into the Edge News Feed timeline are also linked to more than a dozen domains, at least one of them (tissatweb[.]us) also
known for hosting a browser locker in the past.
The redirection flow used to send Edge users starts with a check of the targets' web browsers for several settings, such as timezone, to decide if they are worth their time. If not, they'll send them to a decoy page.
To redirect to their scam landing pages, the threat actors use the Taboola ad network to load a
Base64 encoded JavaScript script designed to filter the potential victims.
"The goal of this script is to only show the malicious redirection to potential victims, ignoring bots, VPNs and geolocations that are not of interest that are instead shown a harmless page related to the advert,"
Malwarebytes explained.
"This scheme is meant to trick innocent users with fake browser locker pages, very well known and used by tech support scammers."
