Cybersecurity researchers have shed light on a previously undocumented aspect associated with ClickFix-style attacks that hinge on taking advantage of a single ad network service as part of a malvertising-driven information stealer campaign dubbed DeceptionAds.
“Entirely reliant on a single ad network for propagation, this campaign showcases the core mechanisms of malvertising — delivering over 1 million daily ‘ad impressions’ [in the last ten days] and causing thousands of daily victims to lose their accounts and money through a network of 3,000+ content sites funneling traffic,” Nati Tal, head of Guardio Labs, said in a report shared with The Hacker News.
The campaigns, as documented by several cybersecurity companies in recent months, involve directing visitors of pirated movie sites and others to bogus CAPTCHA verification pages that instruct them to copy and execute a Base64-encoded PowerShell command, ultimately leading to the deployment of information stealers like Lumma.
The attacks are no longer confined to a single actor, with Proofpoint recently stating that multiple “unattributed” threat clusters have embraced the clever social engineering approach to deliver remote access trojans, stealers, and even post-exploitation frameworks such as Brute Ratel C4.
Guardio Labs said it was able to trace the origins of the campaign to Monetag, a platform that claims to offer several ad formats to “monetize websites, social traffic, Telegram Mini Apps,” with threat actors also leveraging services like BeMob ad-tracking to cloak their malicious intent. Monetag is also tracked by Infoblox under the names Vane Viper and Omnatuor.
The campaign effectively boils down to this: website owners (i.e., threat actors) register with Monetag, after which traffic is redirected to a Traffic Distribution System (TDS) operated by the malvertising ad network, ultimately taking visitors to the CAPTCHA verification page.
“By supplying a benign BeMob URL to Monetag’s ad management system instead of the direct fake captcha page, the attackers leveraged BeMob’s reputation, complicating Monetag’s content moderation efforts,” Tal explained. “This BeMob TDS finally redirects to the malicious CAPTCHA page, hosted on services like Oracle Cloud, Scaleway, Bunny CDN, EXOScale, and even Cloudflare’s R2.”
Guardio told The Hacker News that the campaign leveraging Monetag and BeMob appears to be run by a single actor who has exploited the infrastructure associated with these networks to reach victims in massive numbers. It’s also worth noting that the campaign involves different fake CAPTCHA variants propagating solely via malvertising.
Following responsible disclosure, Monetag has removed over 200 accounts linked to the threat actor as of late November 2024. BeMob, in a similar effort, removed the accounts that were used for cloaking. That said, there are signs that the campaign has resumed again as of December 5.
The findings once again highlight the need for content moderation and robust account validation to prevent fake registrations.
“From deceptive publisher sites offering pirated or clickbait content to complex redirect chains and cloaking techniques, this campaign underscores how ad networks, designed for legitimate purposes, can be weaponized for malicious activities,” Tal said.
“The result is a fragmented chain of responsibilities, with ad networks, publishers, ad statistics services, and hosting providers each playing a role yet often avoiding accountability.”
