{"id":186,"date":"2024-04-15T11:17:50","date_gmt":"2024-04-15T16:17:50","guid":{"rendered":"https:\/\/freshphish.info\/?p=186"},"modified":"2024-04-15T11:17:50","modified_gmt":"2024-04-15T16:17:50","slug":"fake-av-toad-ads","status":"publish","type":"post","link":"https:\/\/freshphish.info\/?p=186","title":{"rendered":"Fake AV TOAD Ads"},"content":{"rendered":"\n

This one isn’t an email I know it is something that has been around awhile. I’ve seen a lot more of these in the past week or so.<\/p>\n\n\n\n

First, a web browser is presented an ad in the middle of a news article that looks like a continue button to read the rest of the story. If the user would scroll down just a bit, they’d see the rest of their article but they see a “continue” button and click it without thinking.<\/p>\n\n\n\n

\"\"
Here is a screenshot of the ad seen.<\/figcaption><\/figure>\n\n\n\n

Once clicked, they are initially brought to a Google ad landing page that just presents another Continue button:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Once they click this Continue button, they’re brought to the fake ad page, which tries to put the browser into full screen mode, shows malware alerts and has a computer generated voice warning about a malware infection. This is intended to cause a panic in the user so they’ll call the provided phone number, which would result in a likely fraudulent charge or perhaps a refund scam.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Note my virtual environment here shaded the screen and prompted for permission to go full screen. The URL is in the z13.web.core.windows.net subdomain, owned by Microsoft. Doing a search for this subdomain provides a number of discussions about the volume of malicious sites hosted here. I recommend blocking this subdomain for all environments.<\/p>\n\n\n\n

-Matt<\/p>\n","protected":false},"excerpt":{"rendered":"

This one isn’t an email I know it is something that has been around awhile. I’ve seen a lot more<\/p>\n

Continue readingFake AV TOAD Ads<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[53],"tags":[50,52,19,49],"class_list":["post-186","post","type-post","status-publish","format-standard","hentry","category-malvertising","tag-fake-av","tag-malvertising","tag-microsoft","tag-toad"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/freshphish.info\/index.php?rest_route=\/wp\/v2\/posts\/186","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/freshphish.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/freshphish.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/freshphish.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/freshphish.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=186"}],"version-history":[{"count":1,"href":"https:\/\/freshphish.info\/index.php?rest_route=\/wp\/v2\/posts\/186\/revisions"}],"predecessor-version":[{"id":190,"href":"https:\/\/freshphish.info\/index.php?rest_route=\/wp\/v2\/posts\/186\/revisions\/190"}],"wp:attachment":[{"href":"https:\/\/freshphish.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=186"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/freshphish.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=186"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/freshphish.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=186"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}