![]() As always, we recommend not to panic even if your computer screen suddenly becomes hijacked as a stern audio recording plays back. Certainly, tech support scammers are well aware of how to target certain demographics, such as seniors, and lure them in via deceiving Facebook posts. Clickbait articles are notorious for leading to various bogus offers or worse.Īnother issue is how promoted posts can quickly become viral as victims inadvertently share links with their contacts. However, there are inherent risks to using these platforms and caution should be exercized. Social media can be a great source of entertainment or a way to connect with family and friends. Staying protected with social media and scams This means that any security product relying on a domain or IP blocklist will be unable to keep up with this campaign. ![]() Not only does the URL keep on changing, but the IP addresses they are using are also shared with other customers. Over the course of a few days, we observed thousands of malicious URLs: This new URL is immediately available and assigned to the cloaking domain for the malicious redirect. We monitored the cloaking domains closely for some time and determined that the threat actor has set up a scheduled task that creates a new Cloud Run URL every 5 minutes. In fact, Google offers new customers $300 in free credits to spend on Cloud Run and two million requests free per month, not charged against credits. Essentially, developers only need to create a container and deploy it as a micro service, without the need for a server, allowing them to focus on the code instead.įor a scammer, this is simply another platform they can abuse with minimum overhead costs. One thing that drew our attention immediately was that the fake error pages are hosted on Google Cloud Run, a "managed computer platform that lets you run containers directly on top of Google's scalable infrastructure". In the diagram below, we can see the network traffic and details for each web request, eventually loading a page that we are all too familiar with: a fake Microsoft alert. This is a simple server-side instruction that will load another website immediately and seamlessly. Now, if you happen to click on a Facebook post as a real human (not a bot or using a VPN), you will get something entirely different, as the cloaking domains will perform a 302 redirect. This is the same old cloaking technique where a fraudster creates a decoy page to deceive online platforms and security tools. If you were to visit the URLs while running a VPN or perhaps via a country that is not targeted, you will see what appears to be a typical news site devoid of any scam. But the closer you look at those sites, the more you realize they are bogus: They're essentially the same content with different domain names. ![]() In the next section, we take a look at how these websites are set up in a way to deceive security controls by employing a technique known as cloaking. We're unsure whether those accounts were compromised or not, but we noticed that the same account posted more than one malicious link but at different time intervals, indicating that it might have been controlled by a threat actor. We identified several Facebook accounts that were posting a number of stories, ranging from clickbait articles to newsworthy content. However, when a link is posted for an external website, Facebook can no longer control the user experience, and in particular any risk that may occur from visiting it. Facebook posts with malicious linksįacebook relies on users sharing content by posting photos, videos or links to various stories. We have reported these incidents to both Facebook and Google. In this blog, we expose the techniques used by scammers to lure victims while evading detection. We've previously never seen tech support scams hosted on Google's serverless platform, and certainly not at this scale. What is unique with this campaign is the abuse of Google Cloud Run to generate new malicious links every few minutes. ![]() Online criminals are notorious for lurking on social media sites and tricking users into visiting malicious links. We recently observed a scheme where Facebook users are clicking on posts that lead to external websites set up for the sole purpose of scamming them out of hundreds of dollars via fake browser alerts.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |