[German]Online criminals are constantly thinking of ways to trap victims via social media platforms. The main goal is to get users to click on malicious links. In doing so, they often lurk in the background and use sophisticated tactics to deceive their victims. Malwarebytes' threat intelligence team has discovered a new scam on Facebook that uses clickbaiting and lures users into a money trap with sophisticated tricks. What makes it special is that the scam is built on Google Cloud Run infrastructure.
Advertising
Malwarebytes security researchers told me that the threat intelligence team came across a sophisticated Facebook scam scheme during recent investigations. When Facebook users click on certain posts, they are redirected directly to external websites whose only goal is to scam them out of large amounts of money with fake browser alerts.
"What makes this campaign special is the misuse of Google Cloud Run to generate new malicious links every few minutes," said Jérôme Segura, senior director of threat intelligence at Malwarebytes. "We had never seen a technical support scam hosted on Google's serverless platform before, let alone on this scale." Malwarebytes reported the incidents to both Facebook and Google.
Clickbait articles with malicious links
It is crucial for Facebook that its users share content, whether in the form of photos, videos or links to various posts. However, when users post links to external websites, Facebook no longer has control over what happens there and is also unaware of potential dangers associated with visiting that external website.
Malwarebytes' threat intelligence team has now identified several Facebook accounts that posted a number of posts. Among the posts were mainly clickbait articles and news-related content. It is unclear whether these accounts were compromised or not. However, it is noticeable that one of the identified accounts posted multiple malicious links at different times. This indicates that the account in question may have been controlled by a threat actor.
Fake pages as a camouflage
Users who access these posted URLs via a VPN or from a non-target country see a seemingly normal news page that does not contain any obvious scam. However, upon closer inspection, it turns out to be a fake page. It is essentially the same content, just presented under a different domain name. This is a well-known camouflage method that scammers use to create fake pages in order to deceive online platforms and security tools.
Advertising
However, if you click on a Facebook post as a real user (not as a bot or via a VPN), the target page will display something completely different. This is because so-called cloaking domains use a 302 redirect. This is a server-side instruction that immediately and seamlessly loads another website.
Scam based on Google Cloud Run infrastructure
What is striking about the scam is that the fake pages were hosted on Google Cloud Run. This way, developers only need to create a container and deploy it as a microservice, without the need for a server. This allows them to focus entirely on developing their code. For fraudsters, Google Cloud Run thus represents another platform that they can abuse for their own purposes at little cost.
By monitoring the cloaking domains for a longer period of time, Malwarebytes was able to determine that the attacker has set up an automated task that generates a new Cloud Run URL every five minutes. These URLs are immediately available and serve as cloaking domains for malicious redirects. Within a few days, Malwarebytes was able to identify thousands of malicious URLs.
The worrying thing is that not only are the URLs constantly changing, but the IP addresses used are also shared with other customers. This means that traditional security products based on a domain or IP block list cannot keep up with this sophisticated campaign.
Clickbait articles with malicious links
While social media makes for great entertainment and is also a great way to stay in touch with family and friends. However, using these platforms also poses some risks. Clickbait articles in particular are notorious for leading to various fake offers and malicious websites. Another problem is that clickbait articles can spread quickly if victims accidentally share links with their contacts. Of course, the scammers know exactly how to target specific demographics, such as seniors or teenagers, and lure them with misleading Facebook posts.
More insight into the technical details of the scam can be found on Malwarebytes' blog. The security researchers point out that Malwarebytes Browser Guard is able to protect users against these attacks – no matter how many times the scammers change the Google Cloud Run URLs. The integrated heuristic fraud engine detects and blocks malicious code in real time.
