- The scammers have bought ads displayed on major internet portals to redirect victims to drive traffic to decoy food-related blogs and earn money.
- These paid ads are typically displayed at the top in the search results and tend to generate more clicks.
Tech support scammers have been found utilizing paid search results to dupe elder people. The scammers have bought ads displayed on major internet portals to redirect victims to drive traffic to decoy blogs and earn money by alerting them that their computers have been infected.
How does it operate?
According to Malwarebytes, the scammers have created a number of food-related blogs that appear to be genuine. These blogs are part of the ads which appear on the paid search results.
The paid ads are typically displayed at the top in the search results and tend to generate more clicks.
Researchers found that the scammers have bought ads on several well-known web portals such as CenturyLink, Att.net, Yahoo! search and Xfinity to drive huge traffic.
“We do not have exact metrics on how many people clicked on those ads but we can infer that this campaign drew a significant amount of traffic based on two indicators: the first being our own telemetry and the second from a URL shortener used by one of the websites,” said researchers in a blog post.
What happen’s next?
Once the users click on one of these paid ads while searching for food recipes, they are redirected to a malicious website and alerts them that their computers have been infected. The scammers provide an alluring offer to clean up their systems.
The interesting aspect of the scam is it checks for the type of browser and operating system before displaying the appropriate template to Windows and macOS victims.
Like other tech support scam, the scammers try to sell unnecessary services and software to victims.
The researchers have discovered that scammers are selling the services from a company named Coretel Communications.
“Their website is hosted at 220.127.116.11, where we found two other interesting artifacts. The first one is a company named CoreTel that is also used by the scammers as a kind of business entity. It appears to be a rip off from another domain that pre-existed by several years and also hosted on the same IP address,” added researchers.