Assessment:  New forceful redirect campaign drives both desktop and mobile users to download a MacClean booster software which itself is an adware/malware program. Fraudsters achieve this redirect by using known malicious domains and malicious javascript in the ad code which automatically redirects the end users to download malware. 

Malicious landing page TLDs

  • maccleanbooster[dot]com
  • sharpguard[dot]club
  • productresearch[dot]club

Campaign creative & landing page

Assessment:  New redirect campaign from multiple buyers hijacking ads on both desktop and mobile devices across the US.  The campaign is driving users to landing pages like:  

storefreeuberapplication[dot]best
licantrums[dot]com
syncmost-thespeedyfile[dot]best
retailg[dot]xyz
driverfixersoftware[dot]com

Affected Platforms:  Rubicon/Index/TripleLift >> The Trade Desk >> Adform/Placelocal

Hijacked Creative & Landing Pages

Assessment:  New redirect campaign surfaced, which involved the use of steganography. The hijackers hid the malicious code within an unassuming GIF file in an effort to avoid detection until the ad was served. The end result for users was an AppStore "page not found" landing page.

Affected Platform:  Rubicon

Creative and Landing Page Examples:

Sample Redirect Path:

Read More

Assessment:  Two widespread redirect attacks impacting 100's of publishers detected and blocked over the weekend.  The campaign was primarily targeted to desktop Chrome and Safari users displaying various images based on the user's ISP connection.  

One technique deployed utilized typosquatting attack techniques to redirect users to malicious scam pop-ups sites. Fraudsters create legitimate-looking URLs with minor typo errors and host their malicious code in it to carry out the redirect attack. Mostly typosquatting attacks will be unnoticed since they look nearly legitimate. One example in this attack, utilized “lijits.com” which looks nearly similar to a legitimate domain “lijit.com” an ad serving domain owned by Sovrn Holdings.

Affected platforms:  Rubicon, Index, AOL/Verizon, AppNexus, TripleLift, Amobee (paused buyer already) & Celtra.

Creative and Landing Page Examples:

Assessment:  New mobile targeted redirect campaign driving users to a common Amazon pop-up interface. Fraudsters achieve this redirect by tracking the basic click event on the malicious ads. The ad shows imagery itself includes a fake notification often prompting users to click, directing them to the malicious page.

Affected Platforms:  MoPub

Creative:

Landing page:

`` `` ``