Assessment:  Three separate redirect campaigns launched over the weekend.

Threat #1:   A script hosted on various raxcdn domains redirecting to domains such as licantrums[dot]com.  Primarily impacted desktop users on Chrome and Safari.  

Affected Platforms:  Sovrn, Index & RhythmOne/Unruly

Threat #2:   Campaign using steganography to forcefully redirect users to domains such as:

news12[dot]biz
lincolnnhattractions[dot]xyz
happyhattractions[dot]xyz
mediapicker[dot]com
performintenselyfreeapplication[dot]icu
performfreeintenselyapplication.icu
boot-upfree-theextremelyfile[dot]best
+ more

Sample Creative:

Threat #3:  Campaign, primarily on desktop, driving users to a fake Norton Antivirus page.  

Affected platforms:  Bidmond DSP, Reklamstore DSP

Campaign Creative Examples:

Assessment:  Redirect campaign detected that utilized a number of methods seen this past summer, driving users to sites like bestads[dot]online.  The creative loads a PNG image that contains additional JS via steganography.  The campaign was targeted to the US, primarily iPhone with a small percentage also on desktop.

Affected Platforms:  Advangelists DSP >> Rubicon

Assessment:  New forceful redirect campaign drives both desktop and mobile users to download a MacClean booster software which itself is an adware/malware program. Fraudsters achieve this redirect by using known malicious domains and malicious javascript in the ad code which automatically redirects the end users to download malware. 

Malicious landing page TLDs

  • maccleanbooster[dot]com
  • sharpguard[dot]club
  • productresearch[dot]club

Campaign creative & landing page

Assessment:  New redirect campaign from multiple buyers hijacking ads on both desktop and mobile devices across the US.  The campaign is driving users to landing pages like:  

storefreeuberapplication[dot]best
licantrums[dot]com
syncmost-thespeedyfile[dot]best
retailg[dot]xyz
driverfixersoftware[dot]com

Affected Platforms:  Rubicon/Index/TripleLift >> The Trade Desk >> Adform/Placelocal

Hijacked Creative & Landing Pages

Assessment:  New redirect campaign surfaced, which involved the use of steganography. The hijackers hid the malicious code within an unassuming GIF file in an effort to avoid detection until the ad was served. The end result for users was an AppStore "page not found" landing page.

Affected Platform:  Rubicon

Creative and Landing Page Examples:

Sample Redirect Path:

Read More
`` `` ``