UPDATE: Microsoft has told TechRadar Pro that, following the report, it has taken action against the malicious advertiser.
"In partnership with our advertising providers, we have removed this content and blocked the advertiser from our networks. We remain dedicated to our user’s safety and will continue to work with our partners to detect, eliminate, and provide new technological solutions to prevent malware attacks and address these threats." a Microsoft spokesperson told us.
Scammers are planting malicious advertisements in the Microsoft Edge news feed, according to new research from antivirus and VPN provider Malwarebytes.
In a blog post by its threat intelligence team, the company claims that the scheme, set up to “direct victims to tech support scam pages”, has been in motion for at least two months.
This particular scam operation has been particularly effective because of Microsoft Edge’s news feed doubling as the web browser’s homepage, increasing the chances that users may be lured by “shocking or bizarre stories” that have been placed there by attackers.
Fake news in Microsoft Edge
Once a user has clicked on a false news story, a script is run to decide if a user should be targeted by the scam. According to Malwarebytes, the script aims to filter out “bots, VPNs, and geolocations that are not of interest,” and that these machines are instead sent to a harmless decoy page.
“This scheme is meant to trick innocent users with fake browser locker pages, very well known and used by tech support scammers”, wrote Malwarebytes, in reference to the scourge of malvertising, whereby threat actors serve up fake advertisements to users in order to compromise their devices.
The scam operation relies on an ever-changing list of malicious domains served up by DigitalOcean’s cloud-based web hosting infrastructure, making the threat difficult to stamp out completely. Malwarebytes claimed that, over the course of 24 hours, over 200 different hostnames were being used to scam tech support pages.
It also noted the considerable efforts to obscure identifying information (known as fingerprinting) about servers and devices involved in the campaign.
The company did, however, connect one of the collected domains, previously reported as suspicious, to Sumit Kalra, listed as a director for “Mws Software Services Private Limited”, a Delhi-based company working in “Computer and related activities”.
It also linked Kalra to a number of other domains involved with this particular campaign, which Malwarebytes has said is “one of the biggest we are seeing in terms of telemetry noise”.
TechRadar Pro has asked Kalra, Mws Software Services Private Limited, and Microsoft for comment.
Default browsers and malvertising
Microsoft Edge is the default web browser on Windows 10 and 11, making it a prime target for scammers looking to target the largest number of unsuspecting users who are less aware of what measures they can take to stay secure online.
Users looking to protect themselves from fake tech support scams and other threat actors may wish to install one of the best free VPNs, consider an anonymous web browser, or simply change their Microsoft Edge homepage from the default news feed.
They should also maintain a healthy skepticism when interacting with content from an unfamiliar or disreputable source. If a news story sounds too good to be true, thinking twice before clicking on it can go a long way.
Clicking on a fake advertisement can result in a device being infected with malware. But scammers sometimes just want users to believe they’ve been infected, and follow through with what the page is requesting of them. This may be to call a certain phone number, or send money to an unknown actor - the latter being a form of ransomware.
To stay safe, users should also be vigilant about the pages making these requests. Usually, it’s antivirus software, not a web browser, that reports on threats to a device’s security.
- Here's a list of the best VPNs for PCs
