Assessment:  Multiple new redirect campaigns detected driving users to .best, .club and .online domains.  Campaigns are using various known methods and fingerprinting to target mobile devices and specifically looking for certain user agent strings.  Fraudsters are looking for known wrappers as part of their execution code.

Affected platforms:  MediaMath, Acuity & Weborama

Sample Creative & Landing Page

Assessment: Redirect campaign emerged 6/13 targeting iPhone and iPads devices across the US.  The campaign utilized a handful of s3 script files attempting to drive traffic to various .icu domains.

Affected platforms:  Beachfront Media

Hijacked creative:

Assessment:  New rash of redirects targeting US & Germany mobile and desktop devices.  Over 1.5M ads blocked over a 3 day period.  Various CloudFront endpoints are being used to load analytics libraries hosting malicious content. 

Affected Platforms:  TradeDesk >> AppNexus

Ad Creative:

Assessment:  Multiple redirect campaigns detected driving users to sites like:  v.choicegiftcard[dot]club/gift,v.rewardstoday[dot]site/gift, v.rewardsmarket[dot]xyz and bestads[dot]online.  Ads are using a number of new techniques to execute problematic behavior including manipulation of the Google tpc.googlesyndication.com call to execute malicious payloads.

Affected Platforms: 

SSPs: Rubicon, RhythmOne, Triple Lift (already blocked buyer)

DSP:  SmartAdserver

Large spike in blocked ads due to Covid-19

Assessment :  Over the past few weeks our block volumes have reached all-time highs and the increase can be traced back to late February as the Covid-19 crisis began to take its toll.  Overall our block volume has more than doubled, and as of April we have recorded a 168% increase over the averages from the previous three months (see chart below).