Assessment:  New mobile targeted redirect campaign driving users to a common Amazon pop-up interface. Fraudsters achieve this redirect by tracking the basic click event on the malicious ads. The ad shows imagery itself includes a fake notification often prompting users to click, directing them to the malicious page.

Affected Platforms:  MoPub

Creative:

Landing page:

Assessment: Desktop auto-redirect campaign targeting multiple browsers.  Malicious ads use fastly.net to host their malicious code and redirect users to malicious landing pages, often containing a fake survey or link to a fake casino mining bitcoins.

Affected Platforms:  Sizmek DSP

Assessment:  Multiple new redirect campaigns detected driving users to .best, .club and .online domains.  Campaigns are using various known methods and fingerprinting to target mobile devices and specifically looking for certain user agent strings.  Fraudsters are looking for known wrappers as part of their execution code.

Affected platforms:  MediaMath, Acuity & Weborama

Sample Creative & Landing Page

  

Assessment: Redirect campaign emerged 6/13 targeting iPhone and iPads devices across the US.  The campaign utilized a handful of s3 script files attempting to drive traffic to various .icu domains.

Affected platforms:  Beachfront Media

Hijacked creative:

Assessment:  New rash of redirects targeting US & Germany mobile and desktop devices.  Over 1.5M ads blocked over a 3 day period.  Various CloudFront endpoints are being used to load analytics libraries hosting malicious content. 

Affected Platforms:  TradeDesk >> AppNexus

Ad Creative:

`` `` ``