ScamClub Malvertising Campaign Infects ESPN, Other News Sites With Fake McAfee Alerts

The malvertising actor is found to spread fake virus alerts to notable news sites.

ScamClub, a notorious malvertising actor, is discovered to be delivering a wave of fake McAfee virus alerts across top-tier news sites. The findings were shared by Malwarebytes in its latest research.

ScamClub's Latest Malvertising Campaign

ScamClub Malvertising Campaign Infects ESPN, Other News Sites With Fake McAfee Alerts
Malwarebytes Lab spotted a new malvertising campaign that targets news sites with malicious McAfee alerts. The scheme involves masking as legitimate affiliates of their victim domains. Kevin Ku from Unsplash

Malwarebytes, a leading anti-malware vendor, exposed ScamClub's most recent malvertising crusade infiltrating mobile news platforms of industry giants like the Associated Press, ESPN, and CBS.

The campaign redirects unsuspecting visitors to counterfeit virus alerts, orchestrated by a malevolent McAfee affiliate.

Closer Look at Malvertising Tactics

Malvertising strategies often involve threat actors posing as legitimate advertisers or marketing affiliates, utilizing commercial ad networks to propagate malicious ads.

In this instance, the rogue affiliate steers users toward a fabricated McAfee antivirus scanner, a form of scareware, residing at the domain "systemmeasures[.]life."

A vigilant Mastodon user, Blair Strater, detected this campaign while browsing the APNews mobile site, where he encountered redirects to the deceptive McAfee antivirus scanner, TechTarget reports.

On certain occasions, he found himself redirected to an authentic McAfee checkout page.

Strater speculates that the affiliate behind the scheme may be part of McAfee's affiliate program, implicating them in the dissemination of malicious scareware takeover ads.

Unmasking the Malicious Affiliate

Malwarebytes disclosed that the affiliate, identified as "affid=1494," had a history of abuse, as reported by YouTube personality and software engineer Jim Browning. Despite reports, the affiliate's activities, flagged for a separate McAfee campaign in fake subscription expiration alerts, persist unchecked.

Upon notification, McAfee responded through its Help Twitter account, expressing a commitment to addressing such threats. However, Malwarebytes contends that the affiliate's malicious operations continue unabated, raising concerns about the efficacy of countermeasures.

"As far as we can tell, this affiliate has not been banned yet. We also reported it on several occasions," Jérôme Segura of Malwarebytes told TechTarget.

ScamClub's Long-Term Operation: A Dark History

ScamClub's malevolent activities date back to at least 2018, as observed by ad security vendor Confiant. Their initial campaign involved a massive browser hijacking operation redirecting iOS users to scam pages, resulting in the compromise of approximately 300 million browser sessions within a mere 48-hour span.

Technical Maneuvers: Evading Detection with Precision

Malwarebytes researchers unearthed a previously exploited domain connected to the systemmeasures [.] life landing page. They also detailed ScamClub's cunning use of obfuscation techniques in their JavaScript payload, including random variable name changes, effectively evading detection.

Previously hosted on Google Cloud services, ScamClub's JavaScript code found a new haven in Microsoft's Azure CDN. Researchers revealed that ScamClub exploited at least 16 different digital ad exchanges through real-time bidding.

While Malwarebytes for Android protects against this malvertising onslaught, iOS users face heightened vulnerability. ScamClub strategically targets the mobile web, exploiting the often overlooked security measures on iOS devices due to Apple-imposed restrictions.

Apple's Dilemma: Balancing Security and Limitations

Segura highlighted Apple's restrictive policies that limit third-party security software on iOS devices, leaving users with constrained protection options.

Joseph Henry
Tech Times
ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics