Cybersecurity researchers have make clear a beforehand undocumented facet related to ClickFix-style assaults that hinge on making the most of a single advert community service as a part of a malvertising-driven info stealer marketing campaign dubbed DeceptionAds.
“Entirely reliant on a single ad network for propagation, this campaign showcases the core mechanisms of malvertising — delivering over 1 million daily ‘ad impressions’ [in the last ten days] and causing thousands of daily victims to lose their accounts and money through a network of 3,000+ content sites funneling traffic,” Nati Tal, head of Guardio Labs, mentioned in a report shared with The Hacker Information.
The campaigns, as documented by a number of cybersecurity firms in latest months, contain directing guests of pirated film websites and others to bogus CAPTCHA verification pages that instruct them to repeat and execute a Base64-encoded PowerShell command, finally resulting in the deployment of knowledge stealers like Lumma.
The assaults are now not confined to a single actor, with Proofpoint lately stating that a number of “unattributed” risk clusters have embraced the intelligent social engineering strategy to ship distant entry trojans, stealers, and even post-exploitation frameworks equivalent to Brute Ratel C4.
Guardio Labs mentioned it was in a position to hint the origins of the marketing campaign to Monetag, a platform that claims to supply a number of advert codecs to “monetize websites, social traffic, Telegram Mini Apps,” with risk actors additionally leveraging providers like BeMob ad-tracking to cloak their malicious intent. Monetag can also be tracked by Infoblox below the names Vane Viper and Omnatuor.
The marketing campaign successfully boils right down to this: web site homeowners (i.e., risk actors) register with Monetag, after which site visitors is redirected to a Visitors Distribution System (TDS) operated by the malvertising advert community, finally taking guests to the CAPTCHA verification web page.
“By supplying a benign BeMob URL to Monetag’s ad management system instead of the direct fake captcha page, the attackers leveraged BeMob’s reputation, complicating Monetag’s content moderation efforts,” Tal defined. “This BeMob TDS finally redirects to the malicious CAPTCHA page, hosted on services like Oracle Cloud, Scaleway, Bunny CDN, EXOScale, and even Cloudflare’s R2.”
Following accountable disclosure, Monetag has eliminated over 200 accounts linked to the risk actor. BeMob, in an analogous effort, eliminated the accounts that had been used for cloaking. That mentioned, there are indicators that the marketing campaign has resumed once more as of December 5, 2024.
The findings as soon as once more spotlight the necessity for content material moderation and sturdy account validation to stop faux registrations.
“From deceptive publisher sites offering pirated or clickbait content to complex redirect chains and cloaking techniques, this campaign underscores how ad networks, designed for legitimate purposes, can be weaponized for malicious activities,” Tal mentioned.
“The result is a fragmented chain of responsibilities, with ad networks, publishers, ad statistics services, and hosting providers each playing a role yet often avoiding accountability.”
