The hijacked domains are used to host large numbers of URLs that send users to sites hosting scams and malware by way of different traffic distribution systems (TDSs), the report says.
The integration of malicious push notifications to fool end users in the attack chain acts as a force multiplier, it adds. These notifications try to convince employees to click on a link to update their anti-virus, turn on their firewall, or contact Microsoft support. The links, of course, download malware or lead to sites demanding payment for support.
“Perhaps the most remarkable thing about Hazy Hawk is that these hard-to-discover, vulnerable domains with ties to esteemed organizations are not being used for espionage or ‘highbrow’ cybercrime,” the report says. “Instead, they feed into the seedy underworld of adtech, whisking victims to a wide range of scams and fake applications, and using browser notifications to trigger processes that will have a lingering impact. Hazy Hawk is indicative of the lengths scam artists will go to get a portion of the multi-billion-dollar fraud market.”
