Confiant has been blocking a large scale and persistent attack over the last six weeks that targets multiple European countries on mobile. The malicious campaign - operated by the Fizzcore group, portrays photoshopped celebrities to lure visitors into a bitcoin investment scam.
For a while, the patterns consistent with the group "Fizzcore" (which Confiant named back in 2019) has been very active in 2020 but that had since slowed down.
Following our January 2020 research, the term "Fizzcore" quickly gained momentum across the industry to refer more broadly to a new vector of clickbait attacks based on sophisticated creative cloaking and aggressive clickbait. As the inventors of this new style of attack, the scheme was progressively adopted by a variety of threat actors. Indeed, multiple actors have adopted this new attack vector, for example highly active malvertisers Zirconium and eGobbler.
After a few weeks of monitored activity, our Security team was able to assemble enough patterns to confirm the Fizzcore attribution. The group is having a strong come-back with a volume of activity not seen since June of 2020 and repeated campaigns week over week, with a special taste for hitting on early Wednesday mornings.
In some of the campaigns, the malvertisers took ownership of defunct ad tech domains to achieve high reputation and maintain persistence:
The first domain was a widely seen ad server until 2016 and operated by Sparks47 Srl, a company based out of Italy. The second domain used to be an ad server called AVID. It was snapped by Fizzcore in January of this year and started being used in February. AVID had ceased operations in 2018.
Summary of the attack
The attack started on June 23 and has continued at a high level since then.
• DSP: Tier 1 DSP
• SSP: Tier 1 SSP
Great Britain (31%)
iOS (31%), Android (69%)