Facebook users in France are subject to a wave of malicious ads, which if clicked, will redirect them to a website hosting a tech support scam.
The campaign was first reported on the Malekal forum by French users. At the moment, the malvertising attack seems to be aimed at French-speaking users only, with all the malicious ads appearing to advertise French sites, but silently redirecting potential visitors to web pages that scare users with ominous warnings.
Below are two of the ads that appear to redirect users to pages showing tech support scams.
The ads observed redirecting users to tech support pages are for the following domains:
hxxp://actu.com-vnv.com/1 hxxp://actu-europe.com/camp1/ hxxp://actulist.com/adv1/ hxxtp://hebdo-actu.com/ad-s1/ hxxp://twimflp.com/ads-03/ hxxp://25608498.com/ hxxp://com-uknewsnow.com/
Clicking on any of those ads redirects users to the website pictured below, located at "hxxp://scansecure21.online/virus-alerte/"
By altering the link path, we couldn't find a homolog localized URL for English, German, or other users. Nevertheless, scammers manage large server and domain portfolios, and if there's a similar malvertising campaign targeting users of other countries, the crooks might simply be redirecting those visitors to another URL.
For the French version of this tech support scam, crooks attempt to trick victims into calling a phone number for tech support services by telling users they've been infected with the "Zeus Virus." Zeus is the name of an older banking trojan, whose source code was leaked many years ago and has been used as the base for many of today banking trojans.
If users dismiss the popup telling them they're infected with the virus, the underlying page tells them their system has encountered errors.
French security researcher Malekal Morte, who first investigated this campaign, has also recorded a YouTube video showing how quickly the malicious ads take a user from Facebook to the tech support scam page.