A group behind the recent outbreaks of malicious advertisements being displayed through Windows 10 apps and Microsoft games has been identified as being based out of Hong Kong. This group is behind millions of advertisements that redirect users to scams, malware, and adware bundles.
In April and June of this year, BleepingComputer reported on how French and German users were being targeted by malvertising that displayed tech support scams, phishing pages, and fake sweepstakes. What was making this attack unusual was that the ads were being displayed in free Microsoft games and Windows 10 apps that allowed them to escape the app and launch unwanted sites in a user's default browser.
According to a report shared with BleepingComputer, advertising security company Confiant discovered a Hong Kong based advertiser that was creating corporate identities to partner with DSPs (demand-side platforms). It would then distribute their low quality and often malicious ads through the DSPs to other ad networks and publishers.
"In March 2019, we were fortunate to receive some feedback from one of our platform customers regarding a campaign that fit the attribution model for this attacker. We were told that the buyer, “fiber-ads”, has been active as of January 2019," Confiant security engineer and researcher Eliya Stein stated in their report. "We were able to confirm this exact buyer with multiple platform partners as well. We were also told that they recently pivoted to a new corporate identity, 'Clickfollow.'"