Hong Kong malvertiser blamed for malicious ads that invaded Microsoft apps

Security firm tracks down malvertiser who deployed malicious ads in Outlook, Microsoft games, and the Microsoft News app.
Written by Catalin Cimpanu, Contributor

A suspect based in Hong Kong is believed to be the main culprit behind a wave of malicious ads that have invaded Microsoft apps and services over the past few months.

The suspect is believed to be a Hong Kong man who operates at least two front companies named Fiber-Ads and Clockfollow, according to an investigation shared with ZDNet this week by Confiant, a cyber-security firm specialized in tracking malvertising campaigns.

Confiant says the suspect uses the two companies to place ads with legitimate ad networks. Malicious code hidden in the ads hijacks users viewing the ads, and redirect them to other sites.

The suspect then uses an account on MyMediaAds, a platform for online advertisers, to sell the hijacked traffic to other threat actors, redirecting users from legitimate apps and websites to sites pushing fake antivirus apps, Flash updates, tech support sites, and other scams.

Over 100 million bad ads in 2019 alone

Based on its internal data, Confiant said this Hong Kong-based threat actor has been responsible for over 100 million bad ad impressions this year alone.

Honk Kong actor bad ads
Image: Confiant (supplied)

"Desktop and mobile devices are targeted in relatively equal quantities, but desktop Windows and iOS are heavily favored by the attacker," said Eliya Stein, a Senior Security Engineer at Confiant.

While most of the bad ads coming from this threat actor have been displayed via web ads, some of them have also reached Windows apps and Microsoft services.

Stein said this threat actor is behind the wave of bad in-app ads that have recently been spotted inside the Microsoft News app, inside various Microsoft games, and Outlook.

The process work as follows: a user opens a Microsoft app, the app loads an ad, the malicious code in the ad opens the user's default browser to a malicious URL.

Some of these malvertising campaigns have been very silent, hitting users in small geographical areas, such as France or Germany.

However, this threat actor's malvertising activity goes beyond showing ads in Microsoft apps, which Confiant described as "just spillover from this bad actor's already active and disruptive malvertising rampage."

Hong Kong -- malvertisers' heaven

The same threat actor has also been seen selling hijacked traffic from popup ads delivered to US users.

Honk Kong threat actor selling popup ad traffic
Image: Confiant (supplied)

Over the last few weeks, Confiant has been working with the impacted ad platforms to ban the Hong Kong-based threat actor.

"During our investigation, a platform had confirmed that the buyer behind the campaigns was based out of Hong Kong," Stein told ZDNet in an interview.

"A growing number of malicious actors in the ad ecosystem are setting up business in Hong Kong where they are somewhat insulated from legal consequences while running their activities in the open," he added.

"We're hoping this article will shed some light into this phenomenon and we're happy to share such findings with law enforcement in the future."

ZDNet reached out for comment to the two email addresses listed on the Fiber-Ads and Clickfollow websites; however, we did not receive a reply before this article's publication.

Cybercrime and malware, 2019 predictions

Related malware and cybercrime coverage:

Editorial standards