Scammers exploit native ad content providers to serve malvertising.
Scammers exploit native ad content providers to serve malvertising.

Native ad and content provider Taboola is being abused by tech support scammers to serve malvertising.

Malwarebytes researchers came across the malvertising on MSN.com, a Microsoft web portal that attracts millions of unique visitors, being promoted by Taboola a global discovery platform which Microsoft signed a deal with in 2016, according to a Sept. 28 blog post.

Upon clicking the malicious link under the guise of a sensational news story, users are redirected to a page claiming that the user's computer has crashed and that they must call a number for immediate assistance.

The phony page uses a code that repeats the warning indefinitely making it so the page can't be closed normally.

Researchers said threat actors typically create content similar to legitimate advertisers and build a profile to appear genuine by monitoring what is trending to create attractive content. Threat actors will also use conditional redirect that profiles users and returns a particular response.

“For instance, if the server determines that a bot or crawler is making a request, it may in turn either deny it or simply serve the expected content (decoy),” researchers said in the post. “Similarly, if the user is running Internet Explorer, is from North America and their IP address appears to have hit the server for the first time, they may receive a scammy page instead.”

In the MSN instance, the users were always redirected to the scam page. Researchers reported the incident to Taboola who told them they had opened an internal review of the vendor hosting the malicious content.

Users should always beware even on trusted platforms of click bait and sensational ads to prevent falling for these types of attacks.