Malvertising comes in all shapes and forms, but some are more nefarious than others. DeceptionAds is a new strain of malvertising where scammers use legitimate ad platforms and ensure that their malicious website dodge moderation as much as possible, allowing their bad ads to get a million impressions daily.
DeceptionAds Abuses Legitimate Channels to Spread PowerShell Malware
As reported by Guard.io, DeceptionAds is a fake CAPTCHA page that asks the user to copy and paste a command to activate PowerShell malware. This attack vector is nothing new; we actually saw this same attack when we reported on McAfee’s discovery back in October.
What makes this particular instance noteworthy is how it spreads. To get people onto these fake CAPTCHA websites, the cybercriminals set up a system where they sent out fake ads through Monetag, a legitimate ad network. Monetag has moderation tools to prevent attacks like these, but cybercriminals are tied to a second legitimate service called BeMob, which is designed to perform ad tracking.
Of course, the criminals aren’t really interested in performing ad tracking on their fake websites. Instead, they passed the malicious website’s BeMob URL to Monetag. Because BeMob is a trusted source, Monetag accepted the link and didn’t flag it during moderation checks. This allowed the cybercriminals to have their malicious ads shown 1 million times a day across 3000+ websites.
Fortunately, Guard.io has reported these cases, and both Monetag and BeMob have taken down the offending ads and removed the bad agents behind them. However, it provides insight into how malvertisers leverage official, legitimate channels to spread their websites without being caught.
Fortunately, avoiding this attack is the same with all malvertisements. Once you know what to look for in malvertising, you can spot fake ads and avoid clicking on them in the first place.