{"id":10414,"date":"2026-02-05T10:00:52","date_gmt":"2026-02-05T10:00:52","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/02\/05\/new-3-step-malvertising-chain-abusing-facebook-paid-ads-to-push-tech-support-scam-kit\/"},"modified":"2026-02-05T10:00:52","modified_gmt":"2026-02-05T10:00:52","slug":"new-3-step-malvertising-chain-abusing-facebook-paid-ads-to-push-tech-support-scam-kit","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/02\/05\/new-3-step-malvertising-chain-abusing-facebook-paid-ads-to-push-tech-support-scam-kit\/","title":{"rendered":"New 3 Step Malvertising Chain Abusing Facebook Paid Ads to Push Tech Support Scam Kit"},"content":{"rendered":"<p>    New 3 Step Malvertising Chain Abusing Facebook Paid Ads to Push Tech Support Scam Kit<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A sophisticated new cyber threat has emerged within the digital advertising ecosystem, specifically targeting users through the vast reach of Facebook\u2019s paid advertising platform. <\/p>\n<p>Malicious actors are increasingly weaponizing social media ads to bypass traditional security filters and deliver harmful content to unsuspecting victims. <\/p>\n<p>This latest campaign orchestrates a complex, three-step <a href=\"https:\/\/cybersecuritynews.com\/new-malvertising-campaign\/\" id=\"125968\" target=\"_blank\" rel=\"noreferrer noopener\">malvertising<\/a> chain designed to deceive users and funnel them into a technical support scam (TSS) kit, posing a significant risk to individual cybersecurity.<\/p>\n<p>The attack vector initiates innocuously when a user interacts with a paid advertisement while browsing their social feed. Rather than directing traffic to a legitimate business, the ad triggers a redirection sequence. <\/p>\n<p>The victim is first routed to a decoy website\u2014specifically designed to look like an Italian restaurant page\u2014which serves as a crucial buffer. <\/p>\n<p>This intermediate step is calculated to evade automated detection scanners that might otherwise flag a direct link to a malicious site. <\/p>\n<p>Once the filter is passed, the user is forwarded to the final destination: a fraudulent landing page designed to panic the user.<\/p>\n<figure class=\"wp-block-embed aligncenter is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-twitter\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">We&#8217;re tracking a 3-step <a href=\"https:\/\/twitter.com\/hashtag\/malvertising?src=hash&amp;ref_src=twsrc%5Etfw\">#malvertising<\/a> chain abusing paid <a href=\"https:\/\/twitter.com\/facebook?ref_src=twsrc%5Etfw\">@Facebook<\/a> ads to push a tech support <a href=\"https:\/\/twitter.com\/hashtag\/scam?src=hash&amp;ref_src=twsrc%5Etfw\">#scam<\/a> kit:<\/p>\n<p>FB ad \u2192 Italian-restaurant decoy site that redirects to an Azure-hosted TSS landing page (*.web.core.windows.net).<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/s.w.org\/images\/core\/emoji\/17.0.2\/72x72\/1f1fa-1f1f8.png?ssl=1\" alt=\"\ud83c\uddfa\ud83c\uddf8\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\">US-targeted: attacker rotated &gt;100 domains in 7 days\u2026 <a href=\"https:\/\/t.co\/zY5F7BLSSs\">pic.twitter.com\/zY5F7BLSSs<\/a><\/p>\n<p>\u2014 Gen Threat Labs (@GenThreatLabs) <a href=\"https:\/\/twitter.com\/GenThreatLabs\/status\/2019116376749756923?ref_src=twsrc%5Etfw\">February 4, 2026<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<p>Gen Threat Labs analysts <a href=\"https:\/\/x.com\/GenThreatLabs\/status\/2019116376749756923?s=20\" id=\"https:\/\/x.com\/GenThreatLabs\/status\/2019116376749756923?s=20\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">identified<\/a> this specific activity, highlighting its highly targeted nature and the attackers\u2019 rapid infrastructure rotation. <\/p>\n<p>The researchers noted that the campaign is exclusively targeting users in the United States and operates with a distinct temporal pattern. <\/p>\n<p>To maintain persistence and avoid blacklisting, the threat actors rotated through more than 100 unique domains in just seven days. <\/p>\n<p>Notably, this activity was observed primarily on weekdays, suggesting the attackers are operating on a professional schedule to maximize their reach during peak usage hours.<\/p>\n<p>The final stage of this chain deposits the victim onto a landing page hosted on Microsoft Azure\u2019s cloud infrastructure. <\/p>\n<p>By leveraging legitimate subdomains such as\u00a0<code>web.core.windows.net<\/code>, the scammers lend a veneer of authenticity to their <a href=\"https:\/\/cybersecuritynews.com\/fake-captcha-attack-leverages-microsoft-application-virtualization\/\" id=\"140879\" target=\"_blank\" rel=\"noreferrer noopener\">fraudulent alerts<\/a>. <\/p>\n<p>These pages typically mimic official system warnings, falsely claiming the device is compromised to coerce victims into calling a fake support hotline.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-evasion-through-legitimate-infrastructure\"><strong>Evasion Through Legitimate Infrastructure<\/strong><\/h2>\n<p>The most defining characteristic of this campaign is its abuse of trusted cloud services to mask malicious intent. <\/p>\n<p>By hosting the TSS landing pages on Azure, the attackers complicate mitigation efforts, as broad blocking of the core Windows domain would disrupt valid services. <\/p>\n<p>The use of the\u00a0<code>simplydeliciouspairing[.]com<\/code>\u00a0decoy site further <a href=\"https:\/\/cybersecuritynews.com\/researchers-obfuscated-weaponized-net-assemblies\/\" id=\"112724\" target=\"_blank\" rel=\"noreferrer noopener\">obfuscates<\/a> the attack flow, ensuring that only real browser interactions reach the scam kit. <\/p>\n<p>This \u201cliving off the land\u201d strategy, combined with the high volume of domain rotation, allows the <a href=\"https:\/\/cybersecuritynews.com\/new-dprk-interview-campaign-leverages-fake-fonts\/\" id=\"140638\" target=\"_blank\" rel=\"noreferrer noopener\">campaign<\/a> to slip past static blocklists and signature-based detection effectively.<\/p>\n<p>Users are strongly advised to exercise caution when clicking on social media advertisements . Verify URL destinations before interacting with content and be wary of unexpected redirects. <\/p>\n<p>Security teams should implement blocks for the identified indicators of compromise (IOCs) and monitor for similar anomalous traffic patterns involving Azure subdomains.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 92%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/new-3-step-malvertising-chain-abusing-facebook-paid-ads\/\">New 3 Step Malvertising Chain Abusing Facebook Paid Ads to Push Tech Support Scam Kit<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/new-3-step-malvertising-chain-abusing-facebook-paid-ads\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New 3 Step Malvertising Chain Abusing Facebook Paid Ads to Push Tech Support Scam Kit A sophisticated new cyber threat has emerged within the digital advertising ecosystem, specifically targeting users through the vast reach of Facebook\u2019s paid advertising platform. Malicious actors are increasingly weaponizing social media ads to bypass traditional security filters and deliver harmful [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-10414","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10414"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10414"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10414\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10414"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10414"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10414"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}