Cybersecurity researchers have uncovered a large-scale malvertising campaign dubbed DeceptionAds, which uses fake CAPTCHA verification pages to deliver information stealers like Lumma malware. The campaign primarily targets visitors of pirated movie and clickbait websites, generating over 1 million daily ad impressions across more than 3,000 sites. Users are redirected to fraudulent CAPTCHA pages, where they are tricked into copying and executing Base64-encoded PowerShell commands, resulting in malware deployment that steals credentials and other sensitive data.
At the heart of this operation lies the abuse of legitimate ad networks and tracking services. Threat actors rely on Monetag, a monetization platform, to distribute malicious traffic while using BeMob ad-tracking services to cloak the final payload. The traffic flows through a Traffic Distribution System (TDS), redirecting unsuspecting visitors to fake CAPTCHA pages hosted on platforms like Oracle Cloud, Scaleway, Bunny CDN, and Cloudflare R2. This multi-layered approach complicates content moderation efforts and enables attackers to evade detection effectively.
Guardio Labs, which uncovered the campaign, noted that the threat actors registered as publishers with Monetag and leveraged BeMob’s reputation to bypass scrutiny. Following responsible disclosure, Monetag and BeMob removed over 200 accounts associated with the malicious activity. However, signs of the campaign resurfaced as of December 5, 2024, indicating the resilience of these operations and the continued exploitation of ad networks for malicious purposes.
The DeceptionAds campaign highlights the need for robust content moderation and stricter account validation to prevent fake registrations and misuse of legitimate platforms. It also underscores how fragmented responsibilities across ad networks, publishers, and hosting providers allow such campaigns to thrive. As attackers refine their tactics, collaboration across the cybersecurity ecosystem is critical to mitigate these threats and protect users from deceptive malvertising schemes.
Reference:
