• ScamClub uses VAST tags to redirect users to fraudulent websites.
• By obfuscating, ScamClub inserts malicious scripts into MediaFile elements in VAST.
• To protect against such attacks, real-time verification is necessary.

At the end of last year, ScamClub, an organized cybercriminal network, began using VAST tags with encrypted scripts to redirect users to malicious websites. The redirection occurs regardless of whether the user watched the advertisement.

In January, the number of such attacks increased. For the first time, the market faced such a large-scale problem in #videoreklamy, which was traditionally considered safe. Publishers assumed that the high cost of such traffic would protect such inventory from fraudsters. Therefore, they did not need to implement protection measures here. This was exploited by criminals.

About a dozen major SSPs and DSPs in different regions of the world were affected by these attacks. The main blow fell on mobile devices in the United States, which accounted for about 60% of such attacks.

So, who is behind these attacks and how do they work?

ScamClub

This organized group has been engaged in advertising fraud since 2018. ScamClub uses complex mechanisms such as obfuscation and proprietary servers to distribute their malicious code.

How It Works

This is an extremely complex attack with multiple mechanisms to prevent detection and reverse engineering by security services.

• Step 1: ScamClub places malicious code in the MediaFile element of the VAST tag. This element usually triggers the ad. At this stage, client data is collected, and the script tries to check that it is not called by security measures (if such a call is detected, the attack will not be deployed).
• Step 2: Execution of the malicious encrypted obfuscated script. First, the script checks the client for known targets.
• Step 3: Information is transmitted to the criminals' server. The script makes a request to the malicious server, which is passed information about users' devices, installed programs, and the web page from which the call occurred. At this stage, fraudsters make another check to ensure that their actions are not disclosed.
• Step 4: After the information from the client is sent and verified by the server, a response is returned to the POST request, containing instructions that direct the user's device to go to a new website. This redirection code includes several different methods to initiate forced redirection. Such a diversified attack strategy increases the chances of successful redirection, making it difficult for security systems to detect and identify the attack.
• Step 5: The first domain obtained through the code initiates a chain of redirects, redirecting the user to a malicious website. This is the final step: they have delivered traffic to their clients who are trying to deceive the user.

Protecting Your Inventory

The best way to protect for a publisher is to provide real-time protection that checks the delivered video ads.

In addition, advertising platforms should increase the frequency of scanning their video advertising channels, as they are not as safe as previously thought.

For Publishers

Measures need to be taken to protect their advertising channels.

Forecast

Attacks will become more sophisticated, requiring new and more advanced protection methods.

More Materials on This Topic:

• MRC's Updated Guide on Defining Invalid Traffic
• "Advertising Sites" - A New Issue for the Advertising Market
• Advertisers Paid for Ads on Forbes.com, But Some Ads Ended Up on a Fake Site
• DSPs Accuse SSPs and Publishers of Cookie Deception