Assessment: Over the past couple of months, we have seen a spike in malicious creatives that are redirecting users to various fake antivirus popups like McAfee, Norton, etc. Our research team identified new signatures, and since January 06, 2022, we’ve seen 8.2 million blocks impacting 2210 domains. When the malicious creative loads, it uses server side redirection technique which makes detection difficult because most of the malicious redirection code executes on the server side rather than being hard coded on creative itself. It takes multiple hops in between to reach the final fake malicious antivirus popup.
Sample malicious URL/Script used in the redirect chain:
Affected Platform: Appnexus
Redirect Landing Page: