This blog post was authored by Jérôme Segura
Black Friday is the annual kick off to the shopping season for brick and mortar and online retailers. However, it’s not just businesses that rejoice in seeing the afflux of customers wanting to spend money. Scammers are waiting around the corner ready to take advantage of the situation in any way they can.
Case in point, a malicious advertiser has been ramping up a fraudulent campaign via Google ads for the popular Walmart brand. Perhaps due to the upcoming Black Friday shopping deals, we are seeing a dramatic increase in traffic towards a number of malicious sites registered for the purpose of serving tech support scams.
We collected all the data that we found about this malvertising campaign and shared it with Google who acknowledged our notification.
The advert
Back in July we saw a malvertising campaign where the threat actor was bidding on popular keywords such as ‘youtube’ and ‘facebook’. This time it appears they are exclusively targeting ‘walmart’ and the volume we are seeing in our telemetry has gone from a handful of hits to thousands in the past two days.
We believe it might simply be due to the fact that online searches for retailers (not limited to Walmart) have gone up in the days leading to Black Friday sales. The crooks are simply riding that wave and benefiting from increased traffic.
Here’s how the malicious redirection happens: first the user searches for the word ‘walmart’ in Google. Based on their location and other factors (cookies, etc.) a malicious ad may be displayed at the the top. Although it looks legitimate, unsuspecting users clicking on it will be redirected to a tech support scam page claiming their computer is infected.
Visually the advert looks legitimate as it appears to display the official website URL, although as we’ll come to see that does not mean anything. In fact, the true destination URL (adurl) is not explicitly shown to users and requires some traffic inspection to be able to catch it.
The Google link itself creates a series of redirects. We can finally see the destination URL (advertiser’s domain which is nveswillrema[.]ga). That should raise some eyebrows due to being a top level domain often used by scammers. In total, we have identified over 50 different advertiser domains registered for the purpose of malvertising (please see IOCs section).
We also spot a URL for the legitimate Walmart store whose sole purpose is to deceive the ad network via a process known as cloaking. If you click on this ad and are not the intended victim, you will be redirected to the Walmart site and never see anything malicious.
However, if your IP address and browser profile matches, the threat actor will instead redirect you to a tech support scam page. Because this campaign has gained so much momentum, it has lead some people to wonder if the Walmart site itself had been hacked. The Walmart site is not hacked but users are clicking on ads that are malicious. Below is the traffic redirection that happens when the right victim click on the ad:
The browser locker
The threat actors are using a number of disposable domains for the tech support scam page, also making it more difficult to block. The fake warnings contain audio to scare users and trick them into calling a phone number for assistance.
Bogus tech support agents are at the ready for you to let them gain remote access to your computer. Depending on their skills and luck, they may be able to steal thousands of dollars from a victim’s bank account at once.
Monetizing clicks for badness
Ads can be deceiving and unfortunately crooks will always keep trying to abuse the system. The way search engines are designed makes it even easier to lead victims down the wrong path because ads or sponsored results tend to be displayed prominently.
As humans we tend to take the path of least resistance and we will click whatever comes first, even if it’s an (malicious) ad. In the best case scenario, the retailer will pay for each click instead of getting ‘organic’ SEO traffic. In the worst case, a malicious advertiser will hijack the click and redirect them to a page of their choice.
Visiting the retailer’s website directly by typing its address may be wiser, provided you don’t typo it! Or you could also click on the link at the very right of the page which gives high level information about the company. Unfortunately, this area of the screen tends to be cooler than right beneath the search results, meaning it gets less attention and clicks.
We have reported the ads we were able to identify to Google.
Indicators of Compromise
Domains used by the advertiser:
1keto[.]2022ketoabsolut[.]ru[.]com
1ketogo[.]shop
2022ketoabsolut[.]ru[.]com
angelbakery[.]cfd
barnevebarjekind[.]ga
carringwattspecinchic[.]ga
cegbakery[.]bar
commercialpropertyins[.]com
ecarti[.]ga
eternaluniversity[.]com
factrazor[.]com
fepheringwoodschecto[.]ga
firmcijerpa[.]ga
katherinemaldonado[.]xyz
katherinestokes[.]click
kellyrobertson[.]click
ketis[.]2022ketoabsolut[.]ru[.]com
keto-nummi[.]shop
kevinstevens[.]xyz
kikilosens[.]xyz
kimpage[.]xyz
kokolosinb[.]xyz
lahmulidedif[.]ga
leonawells[.]click
lidentebitinf[.]ga
lindalewis[.]xyz
loismatthews[.]xyz
loloysnn[.]xyz
loriallen[.]xyz
louisrduiz[.]xyz
marvinsteele[.]xyz
nanamonavi[.]xyz
nistbipec[.]ga
nonsligi[.]ga
otzyv-tut[.]review
paulabell[.]xyz
pekcari[.]ga
phyllislambert[.]xyz
pickregessi[.]ga
querepobureke[.]ga
rebeccamyers[.]xyz
reelsredtato[.]cf
riadholunpa[.]cf
richardramirez[.]click
robertgarcia[.]xyz
robertmendoza[.]xyz
rodneyvasquez[.]xyz
ronaldmiller[.]xyz
rosebennett1[.]xyz
rosecarter[.]xyz
sarapatton[.]xyz
schooljilteca[.]ga
slimm[.]2022ketonkayal[.]ru[.]com
stapaman[.]ga
titerviconti[.]ga
whetiredpe[.]ga
