Introduction

ScamClub is a highly sophisticated and well-funded threat actor primarily motivated by financial gains. They exploit vulnerabilities within the ad tech industry, particularly targeting web browsers and ad tech platforms. In September 2023, Confiant definitively linked ScamClub to WayTop International Advertising Limited in Hong Kong. Known for their advanced capabilities, ScamClub develops custom programs and codes to target various operating systems and web browsers. They prioritize operational security and have been credited with discovering zero-day browser vulnerabilities and introducing innovative attack methods. Since January 2023, ScamClub's activities have significantly increased, with a notable surge in attacks on DSPs, SSPs, ad platforms, and publishers, posing challenges to the ad tech landscape, and underscoring the urgent need for a coordinated takedown.

In September 2023, Confiant published a comprehensive threat intelligence report on ScamClub, which provided the evidence that led to an account level takedown against the threat actor known as ScamClub. The following article summarizes Confiant’s experience from this action, what we have learned from the account level takedown of that threat actor, and our plans to support our partners in the ad industry going forward.

ScamClub Phishing Attack Examples, Source: Confiant

Why Malvertising Matters

Importance to the marketplace

ScamClub is a prolific threat actor deeply embedded in the ad tech industry's supply chain, employing a strategy of numerous small-scale thefts to spread the impact across a wide range of users. They specialize in offering malvertising-as-a-service (MaaS) to place phishing ads that lure users into criminal scams. While they're not directly involved in the criminal attacks, they facilitate them by compromising ad tech systems. Their activities contribute significant revenue to the criminal ecosystem, with our conservative estimated profits from victims exceeding $8.5 million in the first half of 2023 published in our Threat Intelligence report, and potentially surpassing $50 million for the year. This underscores the sophisticated evolution of malvertising and its substantial impact on victims. The total monetary pain inflicted on the victims is a multiple higher because ScamClub is only one layer of this kill chain and multiple other criminal organizations profit too.

The effects of ScamClub malvertising include:

• Theft from victims through financial scams
• Degradation of premium ad site reputations
• Distrust of the viewing audience leading to widespread use of ad blockers
• Loss of legitimate advertisers and sponsors who don’t want to appear near scam ads
• Insertion of criminally funded revenue into the ad ecosystem

Lack of progress against known threat actors

ScamClub operates as a prominent malvertiser, often leaving traces of their activities. However, the failure to effectively combat major threats like ScamClub lies in the inadequate sophistication of ad tech security companies. These companies focus on blocking individual ads that violate security rules, rather than addressing the larger issue: the criminal networks behind malvertising. The emphasis on blocking ads distracts them from targeting the root cause—the threat actors' access to the ad tech supply chain. This results in a futile game of whack-a-mole, allowing malvertisers to continue their deceptive activities unchecked.

Three types of actions that the ad industry can take to protect from this type of threat actor, from least effective to most effective:

• Block ads at the endpoint as the ads render in real-time
• Block the path the campaigns are taking through the DSPs and SSPs to deliver ads
• Block the accounts of the threat actors, shutting off access entirely to the RTB process

Confiant's Pioneering Efforts

Since its inception, Confiant has a history of “firsts” by raising the bar above the status quo of the ad tech industry. A few of Confiant's market-leading examples:

• The first to block creatives in real time
• The first to have real time in-auction bid response validation
• The first to benchmark the state of malicious ads in the industry in our Malvertising and Ad Quality report
• The first to map the techniques, tactics and procedures (TTPs) of malvertising in our Malvertising Attack Matrix
• The first to publish a complete threat intelligence report on a major malvertising threat actor, ScamClub

Confiant, a forerunner in ad tech security, has consistently set new benchmarks in real-time ad blocking, in-auction bid response validation, and malvertising threat intelligence. The company's dedication to enhancing industry standards led to a strategic takedown of ScamClub, leveraging in-depth forensic analysis and collaboration with industry partners. This approach not only disrupted ScamClub's operations but also set a precedent for addressing malvertising at its source, rather than merely intercepting its manifestations. The first step was a technical takedown action against those servers.

Strategic Takedown and Industry Impact

The takedown, focusing on both ScamClub's server infrastructure and its account-level access within the ad tech supply chain, marked a significant victory. The immediate effect was a substantial reduction in ScamClub's malvertising traffic, temporarily cleansing the ad tech ecosystem of their influence. However, the real success lay in the collaborative effort and the strategic shift towards targeting the economic foundations of malvertising operations.

Confiant cyber threat team attributed ScamClub activity with high confidence to WayTop International. When we presented the findings and technical evidence to our cloud supply-chain partners they took swift action to take down ScamClub activity from their servers. That resulted in a 96% drop on September 26th, and then 100% drop on the following day. The action resulted in ad tech being completely free of ScamClub for the first time since 2018.

ScamClub Impressions 09.2023, source: Confiant

With the technical takedown action successfully completed, the clock started ticking on how long it would take for ScamClub to reestablish new servers.

Coordinating a supply chain disruption

Our supply chain action was anchored by a few key elements:

• ScamClub was widespread and deeply embedded in programmatic display and native advertising. Our ScamClub threat intelligence research found ScamClub malvertising present in 31 SSPs via 12 DSPs and 8 Ad Platforms, impacting 55% of Publishers.
• Confiant’s smoking gun evidence allowed for direct identification of the ad platforms and networks that had served as direct access providers to ScamClub.
• Confiant wanted to shift the status quo away from only blocking ads toward more impactful actions that disrupt the source of criminals' business relationships in the ad tech marketplace.
• It was in our clients’ best interest to stop the malvertising running on their networks and impacting their reputation as close to the source as possible.
• Confiant designed the action to evaluate the industry’s interest in collaborating, what level of impact it had on our partner networks, and how long it would take ScamClub to recover from this new action. 

The action against ScamClub aimed not only to disrupt their operations but also to gauge the industry's response to clear evidence of criminal activity. Detecting such actors is challenging because they often appear as regular advertisers. So even though the criminal ad revenue is individually not desirable by legitimate companies, the onus is on the whole industry to adhere to that standard or the criminal activity sneaks in. It’s just too easy to accept the money first and only ask questions after (if ever).

Consistently and systematically identifying the bad signals like ScamClub’s ads amidst the noise of normal digital advertising activity is a non-trivial task that many competing solutions cannot accomplish. Establishing reliable visibility into programmatic ad linkages in ad tech and navigating between primary agents, secondary agents, and tertiary agents in the process is challenging due to several factors:

1. Complexity of the ecosystem: The ad tech ecosystem is vast and complex, involving multiple intermediaries such as ad exchanges, demand-side platforms (DSPs), supply-side platforms (SSPs), ad networks, data management platforms (DMPs), and more. Each of these entities may have their own non-standardized systems and processes for managing ad campaigns, making it difficult to track the entire journey of an ad impression.
2. Lack of transparency: Transparency issues plague the ad tech industry, also raising concerns about hidden fees, ad fraud, and lack of visibility into where ads are being served. This lack of transparency makes it challenging to track the path of the ads or attribute the ad with those who placed it and the intermediaries that were involved.
3. Data silos: Data silos exist within and between different entities in the ad tech ecosystem, making it difficult to aggregate and analyze data across the entire supply chain. This fragmentation hampers efforts to gain a comprehensive understanding of ad linkages and performance.
4. Dynamic nature of the internet: The internet is constantly evolving, with new websites, apps, and platforms emerging all the time. This dynamic environment makes it challenging to maintain accurate ad linkages as audience behavior and content consumption patterns change continuously.

Addressing these systemic difficulties requires visibility and long term collaboration across the industry for data sharing and transparency, efforts that are slowly advancing.

Confiant reached out to 15 ad tech platforms before executing a technical takedown against ScamClub. These platforms were indirectly enabling ScamClub's activities. Confiant asked them to collaborate in disrupting ScamClub's access to their industry. Some platforms hesitated, as it meant acknowledging their revenue supported criminal activity. Only seven responded, with one denying involvement despite evidence. Internal conflicts, like revenue reductions and commission cuts, complicated their decisions. Six platforms engaged, some quicker than others, but all committed to rejecting criminally funded revenue.

By the time the technical takedown executed, several key links were severed and more were in review. Not enough to sustain lasting limitations on ScamClub once they surmounted the technical action, but enough to educate Confiant in how to make the supply chain disruptions more impactful in the future.

What's in the Future

Our Vision

Confiant is dedicated to improving the ad tech landscape by thwarting threat actors' attempts to exploit users on premium ad sites. Following a successful takedown operation in September, Confiant is now doubling down on transparency and attribution within the online advertising ecosystem. To achieve this, we're enhancing infrastructure, investing in forensic ad tech analysis, and focusing on identifying the parties involved in threat actor supply chains. By gathering detailed forensic evidence and documenting account-level linkages, we aim to respond to attacks more swiftly and effectively. Our ultimate goal is to enhance transparency in the ad industry, enabling a shift from merely blocking ads to blocking access for threat actors.

A Call For Improved Standards

The ad industry lacks a robust standard for demand verification, which is crucial due to rising global ad-based threats. Confiant's 2023 Annual MAQ reveals alarming statistics, with one in every 79 programmatic impressions showing significant security or quality issues, the highest rate since 2018. On average, one in every 384 impressions poses a security risk to users. Threat actors exploit the digital ad industry for criminal gain, necessitating industry-wide action for better protection. Confiant advocates for stronger demand verification standards to identify and address malicious buyers effectively. Threats extend beyond programmatic channels to social, search, video, native, and in-app advertising. With threat actors becoming increasingly sophisticated, urgent industry coordination is crucial to mitigate the growing problem.

Conclusion and Industry Challenge

The battle against ScamClub underscores the critical need for heightened vigilance, collaboration, and innovation in cybersecurity within the ad tech industry.  As malvertising threats evolve, so must our strategies to combat them, ensuring a secure and trustworthy digital advertising environment for all stakeholders.

Confiant is prioritizing the rapid dissemination of crucial insights to combat criminally funded ad campaigns. Confiant aims to provide our ad tech partners with actionable information enabling them to cut off criminals' access to ad platforms. We're imploring the industry to take a firmer stance against criminal activity and empowering it to do so effectively.

Key Takeaways

• Confiant’s exceptional threat intel enabled a ScamClub-free ad tech ecosystem for several days
• The supply chain takedown test yielded repeatable, actionable results
• Increased industry engagement is needed to fight malvertising effectively and consistently
• Eliminating malvertising comes at the cost of rejecting criminally funded revenue
• Improving supply chain transparency is crucial, so security solutions can work effectively
• Investing in effective security solutions is essential

Read the technical article on Medium, learn more about "ScamClub’s Deceptive Landing Pages" in our related article, or download the full report below: