A sophisticated malvertising campaign dubbed “DeceptionAds” has been uncovered by cybersecurity researchers, revealing a complex operation that exploits legitimate ad network services to distribute information-stealing malware. The campaign, which generates over 1 million daily ad impressions, operates through a network of 3,000+ content sites.
The attack methodology involves redirecting users from pirated movie sites to fake CAPTCHA verification pages. Visitors are prompted to execute a Base64-encoded PowerShell command, which ultimately deploys information stealers like Lumma. Multiple threat actors have adopted this technique to deliver various malicious payloads, including remote access trojans and post-exploitation frameworks.
Researchers identified Monetag, an advertising platform, as the primary vehicle for this campaign. Threat actors register as website owners on Monetag and utilize BeMob ad-tracking services to mask their malicious activities. The traffic flow follows a specific pattern:
1. Website registration with Monetag
2. Traffic redirection to a Distribution System
3. Final redirect to malicious CAPTCHA pages hosted on various cloud services
Following disclosure, Monetag removed over 200 suspicious accounts, and BeMob eliminated accounts used for cloaking. However, the campaign has shown signs of revival as of December 5, 2024.
This investigation highlights critical vulnerabilities in digital advertising infrastructure and emphasizes the need for stronger content moderation and account validation processes to prevent malicious exploitation of legitimate advertising platforms.