Assessment:  Over 12 Million ads blocked over the weekend driving users to sites like  The campaign was primarily mobile across iOS and Android devices.

Interestingly, this campaign is using one-time-keys to prevent analysts from gaining access to deeper parts of the malicious actors' infrastructure. This results in 404 errors quickly after the use of a link in an attempt to avoid investigations.

Affected Platforms:  Adelphic DSP via Index Exchange

Assessment:  Redirect attack originally detected on Oct 11th is redirecting users to variations of “(today)bestgift(s).space/host/xyz/site”

The attackers leverage their malicious payload via Amazon AWS CDNs using random file names and various methods to evade detection (eg. encoding parameter values, breaking up urls into chucks and recombining). The payload they deliver is highly obfuscated.  The attack first loads an alert that a user has to click to close and then loads a variation of an Walmart Giftcard Sweepstakes page targeting various ISPs.

Affected Platforms:  Pubmatic, Index, SOVRN

Assessment:  Quick moving redirect campaign targeting mobile and desktop devices and impacting over 20% of ADLs customers in 2 days.  Fraudsters hijacked a Dremel ad and used it to deliver the malicious payload.  Infected ads seem to have tapered off as of Monday.

Affected Platforms:  RythmnOne

Hijacked creative

Redirection path

Read More

Assessment: Latest campaign in a series that all abuse websocket functionality to forcefully redirect the page when a user is on a mobile device but serves an actual image if they determine the user is on a PC or otherwise should not be redirected.  We have seen the campaign continue to acquire new domains to avoid detection and we are investigating additional related domains to prevent the spread of this threat.

Affected Platforms:  Common path has been the Voluum DSP via Pubmatic. 

Assessment:  A redirect campaign from earlier this summer has resurfaced impacting about 500K impressions over the past few days.

Affected Platforms:  Common path is via AdMixer & Bidswitch via a DSP called WayTop (waytopmobi).

`` `` ``