ScamClub, a notorious malvertising actor, is discovered to be delivering a wave of fake McAfee virus alerts across top-tier news sites. The findings were shared by Malwarebytes in its latest research.
ScamClub's Latest Malvertising Campaign
Malwarebytes, a leading anti-malware vendor, exposed ScamClub's most recent malvertising crusade infiltrating mobile news platforms of industry giants like the Associated Press, ESPN, and CBS.
The campaign redirects unsuspecting visitors to counterfeit virus alerts, orchestrated by a malevolent McAfee affiliate.
Closer Look at Malvertising Tactics
Malvertising strategies often involve threat actors posing as legitimate advertisers or marketing affiliates, utilizing commercial ad networks to propagate malicious ads.
In this instance, the rogue affiliate steers users toward a fabricated McAfee antivirus scanner, a form of scareware, residing at the domain "systemmeasures[.]life."
A vigilant Mastodon user, Blair Strater, detected this campaign while browsing the APNews mobile site, where he encountered redirects to the deceptive McAfee antivirus scanner, TechTarget reports.
On certain occasions, he found himself redirected to an authentic McAfee checkout page.
Strater speculates that the affiliate behind the scheme may be part of McAfee's affiliate program, implicating them in the dissemination of malicious scareware takeover ads.
Unmasking the Malicious Affiliate
Malwarebytes disclosed that the affiliate, identified as "affid=1494," had a history of abuse, as reported by YouTube personality and software engineer Jim Browning. Despite reports, the affiliate's activities, flagged for a separate McAfee campaign in fake subscription expiration alerts, persist unchecked.
Upon notification, McAfee responded through its Help Twitter account, expressing a commitment to addressing such threats. However, Malwarebytes contends that the affiliate's malicious operations continue unabated, raising concerns about the efficacy of countermeasures.
"As far as we can tell, this affiliate has not been banned yet. We also reported it on several occasions," Jérôme Segura of Malwarebytes told TechTarget.
ScamClub's Long-Term Operation: A Dark History
ScamClub's malevolent activities date back to at least 2018, as observed by ad security vendor Confiant. Their initial campaign involved a massive browser hijacking operation redirecting iOS users to scam pages, resulting in the compromise of approximately 300 million browser sessions within a mere 48-hour span.
Technical Maneuvers: Evading Detection with Precision
Malwarebytes researchers unearthed a previously exploited domain connected to the systemmeasures [.] life landing page. They also detailed ScamClub's cunning use of obfuscation techniques in their JavaScript payload, including random variable name changes, effectively evading detection.
Previously hosted on Google Cloud services, ScamClub's JavaScript code found a new haven in Microsoft's Azure CDN. Researchers revealed that ScamClub exploited at least 16 different digital ad exchanges through real-time bidding.
While Malwarebytes for Android protects against this malvertising onslaught, iOS users face heightened vulnerability. ScamClub strategically targets the mobile web, exploiting the often overlooked security measures on iOS devices due to Apple-imposed restrictions.
Apple's Dilemma: Balancing Security and Limitations
Segura highlighted Apple's restrictive policies that limit third-party security software on iOS devices, leaving users with constrained protection options.
Read also: Google Chrome Users Beware: Update Your Browser Immediately to Avoid Zero-Day Vulnerability