Assessment:  Two new malicious campaigns emerged and were blocked this weekend.  

Threat #1:  Affecting both mobile and desktop, fake fashion & car ads are redirecting users to unwanted landing pages like the ones below. 

Sample landing pages:

m.valueprizes[dot]best
v.valuepoints[dot]host
m.earnpoints[dot]today
t.earnpoints[dot]work
m.pointsprize[dot]online
m.pointsprize[dot]site

Threat #2:  Also affecting mobile and desktop, this campaign rotated malicious scripts from an ad server CDN to drive users to nefarious landing pages like hlcczebndb[dot]com.

Affected platforms:  Uprival Adserver, Verizon, Sonobi

Assessment:  Three separate redirect campaigns launched over the weekend.

Threat #1:   A script hosted on various raxcdn domains redirecting to domains such as licantrums[dot]com.  Primarily impacted desktop users on Chrome and Safari.  

Affected Platforms:  Sovrn, Index & RhythmOne/Unruly

Threat #2:   Campaign using steganography to forcefully redirect users to domains such as:

news12[dot]biz
lincolnnhattractions[dot]xyz
happyhattractions[dot]xyz
mediapicker[dot]com
performintenselyfreeapplication[dot]icu
performfreeintenselyapplication.icu
boot-upfree-theextremelyfile[dot]best
+ more

Sample Creative:

Threat #3:  Campaign, primarily on desktop, driving users to a fake Norton Antivirus page.  

Affected platforms:  Bidmond DSP, Reklamstore DSP

Campaign Creative Examples:

Assessment:  Redirect campaign detected that utilized a number of methods seen this past summer, driving users to sites like bestads[dot]online.  The creative loads a PNG image that contains additional JS via steganography.  The campaign was targeted to the US, primarily iPhone with a small percentage also on desktop.

Affected Platforms:  Advangelists DSP >> Rubicon

Assessment:  New forceful redirect campaign drives both desktop and mobile users to download a MacClean booster software which itself is an adware/malware program. Fraudsters achieve this redirect by using known malicious domains and malicious javascript in the ad code which automatically redirects the end users to download malware. 

Malicious landing page TLDs

  • maccleanbooster[dot]com
  • sharpguard[dot]club
  • productresearch[dot]club

Campaign creative & landing page

Assessment:  New redirect campaign from multiple buyers hijacking ads on both desktop and mobile devices across the US.  The campaign is driving users to landing pages like:  

storefreeuberapplication[dot]best
licantrums[dot]com
syncmost-thespeedyfile[dot]best
retailg[dot]xyz
driverfixersoftware[dot]com

Affected Platforms:  Rubicon/Index/TripleLift >> The Trade Desk >> Adform/Placelocal

Hijacked Creative & Landing Pages

`` `` ``