Malicious Bing search ads have been used in a recent tech support scam campaign to trick American users into visiting phony Microsoft Azure support pages stored in cloud storage This article explores malicious advertisements bing. . The activity started on February 2 at approximately 16:00 UTC and swiftly affected users from 48 different organizations, according to researchers at Netskope Threat Labs.

All of the victims were located in the United States and were employed in a variety of sectors, such as technology, manufacturing, and healthcare. The campaign's size and speed were noteworthy, particularly considering that it used sponsored search ads instead of phishing emails or social media links. A user searching Microsoft Bing for a common term, like "amazon," started the infection chain.

The victims clicked on a malicious advertisement that was displayed in the search results rather than the genuine website. This emphasizes a crucial security lesson: typing a well-known URL, like Amazon.com, directly is safer than searching for it and clicking advertisements. Threat actors can misuse sponsored search results by paying to have malicious links appear above trustworthy results.

Users were initially taken to a freshly registered domain that hosted an empty WordPress website when they clicked on the malicious advertisement. Traffic was then redirected to pages hosted in Microsoft Azure Blob Storage containers by that website. Azure Blob Storage Abuse Azure Blob Storage, a reputable cloud storage provider, hosted the last scam pages. Several storage containers with arbitrary names were made by the attackers.

Among the salient features were: Container names that are generated at random A query parameter with a phone number and a fixed path that ends in werrx01USAHTML/index.html The scam included the phone numbers that were embedded in the URLs. The victims were told to dial numbers like: 1-866-520-2041 1-833-445-4045 1-866-520-2173 1-855-369-0320 1-833-445-3957 Upon accessing the page, users were presented with a standard tech support scam alert, advising them to contact "Azure Support" and cautioning them about fictitious security concerns. Persuading victims to divulge payment information or allow remote access was the aim.

Malicious Bing Ads Scam (Source: netskope) Infrastructure Standardization Dozens of Azure Blob container domains were found by researchers to have the same naming convention.

This implies an automated and standardized deployment process that enables attackers to swiftly spin up new containers in the event that older ones are taken down. This strategy is not brand-new. In the past, tech support scammers have hosted phishing content on sites like DigitalOcean and StackPath.

Nonetheless, the campaign's reach was greatly expanded by the effective placement of malicious advertisements in Bing search results. These pages are identified by Netskope as "ET PHISHING Microsoft Support Phish Landing Page." At the time of publication, Microsoft had received reports from all identified Azure Blob Storage domains, and they were no longer hosting malicious content.

Companies ought to: Teach users not to click on sponsored search results for popular brands. Promote direct URL navigation for reliable websites. Keep an eye on web traffic and DNS for any unusual blobs.patterns on core.windows.net At the network level, block known scam phone numbers.

This campaign shows how threat actors are still using legitimate cloud services and advertising platforms as weapons to expand conventional tech support scams.