For Better User Experience Please Use Portrait Mode.

Malvertising activity in September

By Jerome Dangu

13 October 2020

This blog post will recap some of the large attacks Confiant observed and prevented during September, identifying the threat groups involved, and some of the tactics currently in use. 

Forced Redirects 

The month of September marked a slow-down for large weekend attacks. Only one attack on Sunday, September 6 compared to three in August and four in July. 

eGobbler was able to pull off a string of attacks across three different DSPs allowing them to stay active for about 11 hours. On the supply side, three tier-1 SSPs were most impacted. 

Nephos7, the other culprits known for large weekend attacks was especially quiet. We detected their presence at low volumes on two tier-1 DSPs as they were staging their campaigns, a process that can take up to a month of innocuous activity before any real attack is launched.

Contact us to learn more 

These two actors have continued their shift that started at the end of June: 

  • Primarily targeting the United States (compared to Europe previously)
  • On Desktop computers, extending their attack payload to malware downloads via fake software update landing pages 
  • Carrier-branded scams continued to be used in Europe 

Fake software update, drive-by-download example  weekend attacks Example of a fake software update, drive-by-download weekend attack

Beyond large weekend attacks, September has seen renewed activity from both DCCBoost and Scamclub. DCCBoost is an actor focusing specifically on mobile redirects. Confiant observed a large campaign starting September 10 releasing hundreds of malicious ad creatives over the course of a week. Scamclub specializes in forced redirects (both mobile and desktop) with a current focus on carrier-branded scams. In September, we’ve seen them especially active via a tier-2 SSP.

ScamClub attack Scamclub in Italy, September 15th

Bitcoin Scams

September has seen continued increased activity in bitcoin scams. A malvertising scheme pioneered by threat actor Fizzcore, bitcoin-flavored investment scams are gaining popularity with criminal groups, due to their low barrier to entry and high profitability. Over the past 6 months, a long tail of attackers joined in and flooded online advertising with bitcoin scams.

Examples of bitcoin scam creatives A few examples of bitcoin scam creatives active as of this writing

All these scams broadly follow the same scheme with fake news articles. 

Fake news aritclebitcoin scamFake news article/bitcoin scam (September 2020)

Questions around the attacks?

Through our broad visibility on the ad tech ecosystem and leveraging our detection and blocking technology, we are able to directly tie attacks back to threat groups we've been indexing and tracking since 2013. If you have any questions on the attacks for this month or would like to know more about malvertising and how we can help, don't hesitate to reach out to support@confiant.com.