Recently, I was involved in publishing Confiant’s ScamClub: Threat Report Q1-Q2 2023. During our investigation into this malvertising threat, we found ScamClub utilizing RTB integration with ad exchanges to push bid responses upstream to forcefully redirect the victim’s browser from the publisher site, to their landing pages containing scams. These scams are meant to entice victims into continuing to sites that ScamClub are affiliates of, but do not own. ScamClub leads its victims to other business entities page’s which contain surveys, CC-submit offers, and other offers in order gain profit from that entity as a marketing partner. Being an affiliate of these platforms has been very successful for ScamClub and we estimated approximately $8.5 million in total revenue in the first two quarters of 2023. Exploiting an ad recipient’s browser to forcefully redirect them to a page that scams them into entering credit card details into an unrelated offer, negatively represent its business partners. In this blog I will cover how ScamClub exploits the ad tech system to bring in confused victims, how it uses deception to scam its victims, and a few entities ScamClub was business partners with.
ScamClub’s Deceptive Nature
ScamClub is a threat actor whose techniques are captured in our Malvertising Attack Matrix. Our team tracks malvertising threats and profiles them based upon the techniques they use. More about how we profile these threats can be found in this blog post. I will be referring to the specific techniques in the matrix ScamClub uses in order to explain the story of its deception.
Before reaching ScamClub’s landing page, ScamClub exploits a technique known as [C204] Forceful redirects. This technique redirects the ad recipients browser from where it was, on the publisher website, to somewhere else, with no interaction required. In the case of a bid request won by ScamClub, code will run on the victims browser which will forcefully redirect it from the publishers webs
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: