Security researchers have uncovered a security threat that's seen users of Windows 10 desktop apps served up with malicious adverts pushing everything from tech support scams to fake antivirus malware. Worse yet, because they are served up by ad-supported apps, and Windows 10 is just launching your default browser, your ad-blocker will likely not stop them. To date, the malvertising campaign has delivered more than 100 million of these ads, and the attack surface extends way beyond just Windows 10 apps.
Eliya Stein, a senior security engineer at Confiant, confirmed that "in-app advertisements are not the only vehicle of delivery for this particular attacker." Writing in a blog posting that explores the methodology of the malvertising campaign and tracks the threat actor behind it, Stein pointed out that desktop and mobile devices are targeted in relatively equal quantities, "but desktop Windows and iOS are heavily favored by the attacker."
Indeed, there have been reports of these malicious ads being spawned from within the Microsoft News app as well as Outlook and some Microsoft Games. "Malvertisers rely on forced redirections in order to drive victims to phishing pages, tech support scams, or drive-by downloads," Stein explained, adding that "the redirections spawn without any user interaction."
The Hong Kong Connection
The threat actor, in this case, according to the Confiant investigation, appears to be operating under the name of "fiber-ads" out of Hong Kong. By partnering with legitimate demand-side platforms (DSPs) which broker automated advertising placements that can target users as they are browsing. It's hardly surprising that fiber-ads should choose to form relationships with totally legitimate DSPs; it gives them access to premium audiences. And premium audiences represent a high-value target for players in the malvertising market.
You can think of malvertisers operating across two primary business models: the ones that own the whole delivery chain, including the payload, and those which act purely as intermediaries. The fiber-ads operation is firmly in the second camp.