Online criminals are notorious for lurking on social media sites and tricking users into visiting malicious links. We recently observed a scheme where Facebook users are clicking on posts that lead to external websites set up for the sole purpose of scamming them out of hundreds of dollars via fake browser alerts.

What is unique with this campaign is the abuse of Google Cloud Run to generate new malicious links every few minutes. We’ve previously never seen tech support scams hosted on Google’s serverless platform, and certainly not at this scale. In this blog, we expose the techniques used by scammers to lure victims while evading detection.

We have reported these incidents to both Facebook and Google.

Facebook posts with malicious links

Facebook relies on users sharing content by posting photos, videos or links to various stories. However, when a link is posted for an external website, Facebook can no longer control the user experience, and in particular any risk that may occur from visiting it.

We identified several Facebook accounts that were posting a number of stories, ranging from clickbait articles to newsworthy content. We’re unsure whether those accounts were compromised or not, but we noticed that the same account posted more than one malicious link but at different time intervals, indicating that it might have been controlled by a threat actor.

Facebook posts with external link

In the next section, we take a look at how these websites are set up in a way to deceive security controls by employing a technique known as cloaking.

Decoy/cloaking

If you were to visit the URLs while running a VPN or perhaps via a country that is not targeted, you will see what appears to be a typical news site devoid of any scam. But the closer you look at those sites, the more you realize they are bogus: They’re essentially the same content with different domain names. This is the same old cloaking technique where a fraudster creates a decoy page to deceive online platforms and security tools.

Decoy websites used for cloaking

Now, if you happen to click on a Facebook post as a real human (not a bot or using a VPN), you will get something entirely different, as the cloaking domains will perform a 302 redirect. This is a simple server-side instruction that will load another website immediately and seamlessly.

In the diagram below, we can see the network traffic and details for each web request, eventually loading a page that we are all too familiar with: a fake Microsoft alert.

Traffic redirection

Google Cloud Run “infrastructure”

One thing that drew our attention immediately was that the fake error pages are hosted on Google Cloud Run, a “managed computer platform that lets you run containers directly on top of Google’s scalable infrastructure”. Essentially, developers only need to create a container and deploy it as a micro service, without the need for a server, allowing them to focus on the code instead.

For a scammer, this is simply another platform they can abuse with minimum overhead costs. In fact, Google offers new customers $300 in free credits to spend on Cloud Run and two million requests free per month, not charged against credits.

We monitored the cloaking domains closely for some time and determined that the threat actor has set up a scheduled task that creates a new Cloud Run URL every 5 minutes. This new URL is immediately available and assigned to the cloaking domain for the malicious redirect. Over the course of a few days, we observed thousands of malicious URLs:

Google Cloud Run URLs

Not only does the URL keep on changing, but the IP addresses they are using are also shared with other customers. This means that any security product relying on a domain or IP blocklist will be unable to keep up with this campaign.

Staying protected with social media and scams

Social media can be a great source of entertainment or a way to connect with family and friends. However, there are inherent risks to using these platforms and caution should be exercized. Clickbait articles are notorious for leading to various bogus offers or worse.

Another issue is how promoted posts can quickly become viral as victims inadvertently share links with their contacts. Certainly, tech support scammers are well aware of how to target certain demographics, such as seniors, and lure them in via deceiving Facebook posts. As always, we recommend not to panic even if your computer screen suddenly becomes hijacked as a stern audio recording plays back. In practically all cases, you can safely close these pop-ups and be back up and running quickly.

Malwarebytes Browser Guard is able to protect against these attacks flawlessly, no matter how many times the fraudsters swap Google Cloud Run URLs. The built-in fraud heuristic engine is able to detect the malicious code and block it in real time.

Malwarebytes Browser Guard

Indicators of Compromise

Cloaking domains

trendingentertainers[.]com
trendingfilmreviews[.]com
trendingshowbiz[.]com
trendingtvshows[.]com
usunveiled[.]net
viralcelebrityzone[.]com
viralfamezone[.]com
virallaughtrack[.]com
viralstargossip[.]com
viralfunnylaugh[.]com

Cloaking hosting

194.38.23[.]88
194.38.23[.]18
194.38.23[.]58
194.38.23[.]30

Google Cloud Run URLs (partial list here).