In the continuing research of cybersecurity solutions firm Sophos on malvertising and “scarevertising,” it found that cybercriminals have developed “ingenious” ways to scam victims. The latest of these is the tech support scams for questionable mobile apps that use ad networks to find their unwitting victims.

According to Sophos, “fake alert” web pages have frequently used advertising networks as the distribution scheme for potentially unwanted applications (PUA), particularly with the Bundlore family.

The firm said the alerts look legitimate to unsuspecting victims. But for those who are more well-versed in cybersecurity would instantly recognize a scam coming.

Sophos: Cybercriminals exploit SharePoint, OneNote to obtain user password

Sophos finds fleeceware apps ‘still exist’ in Google’s Play Store

SophosLabs Uncut has researched a resurgence of fake alerts, called Scareware or Malvertising, that lure users into thinking they need technical support and then buying fake apps or fleeceware off a mobile app store. These fake alerts also now prompt users to “call back.”

Pop-under ads

“While browser developers have done a lot to make ‘malvertising’ more difficult, ad networks keep finding new ways to pop up content in your device browsers, and scammers continue to take advantage of ad networks to target more vulnerable people. Sophos’ research shows how expansive these ‘fake alert’ fraud schemes and the ecosystem that supports them still are, and how little investment and technical skill are required to run them,” said Sean Gallagher, senior threat researcher, SophosLabs.

Sophos also found several fake alert pages that have been executing similar attacks on other browsers utilizing pop-under ads.

The scam is even more problematic because it won’t provide victims a way out. Sophos saw that scammers managed to develop “browser lock attacks” wherein users cannot navigate away from the page. These attacks likewise target mobile devices using the same technique.

As protections against malvertising improve on desktops, Sophos anticipates that more scammers will focus on the weaknesses of mobile devices. However, fake alerts are easy to spot and remove. Check for spelling errors and strange phrasing. If there is a countdown clock or intense pressure to call back, it is likely a scam.

“These scams, which use web pages crafted to resemble mobile operating system alerts, follow the same pattern as desktop scams in that they are either linked to tech support scams or to PUA downloads including ‘fleeceware’ apps in Google’s and Apple’s app stores,” Sophos said. “These types of scam pages have been around for several years. But they remain a threat — mostly because of weaknesses in the pop-up defenses of mobile web browsers. And because they don’t carry any obviously malicious code, most don’t trigger any sort of anti-malware detection. They’re a sort of a ‘scareware’ version of malicious advertisements — scarevertising.”