- Virtual Client Computing Market: Tapping on the Domain of Innumerable Opportunities
- Building Simpler, Resilient, and AI-Ready Networks
- I found the 15 best Mother's Day gifts for tech-loving moms
- 18 essential commands for new Linux users
- 7 simple things I always do on Android to protect my privacy - and why you should too
Scalllywag Ad Fraud Network Generates 1.4 Billion Bid Requests Daily
Security researchers have discovered a new ad fraud network capable of attracting billions of weekly ad requests across hundreds of domains.
Scallywag is a collection of four WordPress modules designed to lower the barrier to entry for threat actors that want to monetize illicit content through advertising.
“Scallywag is a collection of WordPress extensions that threat actors install to redirect users from piracy catalog sites or URL-shortening service sites through one or more intermediary cashout sites on which the threat actors stage a bunch of ads, and finally to the promised pirated content or shortened URL,” explained researchers at security vendor Human.
The cashout sites themselves use several tactics to slow users down and maximize the number of ads the pages can request and render. These include buttons that must be clicked on to get to the content in question, CAPTCHAs to solve, hard-coded wait times before users can progress, required scrolling through a full page before progressing, and a need to navigate intermediary pages first.
“These cashout sites, when cloaked, often take the form of a seemingly benign blog with no obvious relationship to the original piracy/URL shortening domains,” Human said.
Read more on ad fraud: Ad Fraud Scheme Tops 12 Billion Daily Bid Requests
Most of the Scallywag cash out sites decloak content using a process called “deep linking.”
“The link on the catalog page includes a deep link to a page with a webform, that webform automatically submits and redirects the user to the decloaked version of the desired page,” Human explained.
“That webform completion tells the website that the user should receive the decloaked version, rather than the benign version.”
One of the four WordPress extensions associated with the campaign dates back to 2016. They are:
- Soralink
- Yu Idea
- WPSafeLink
- Droplink
Three of the extensions – Soralink, WPSafeLink, and Yu Idea – are sold by their developers to individual threat actors, while Droplink is available free of charge behind its own Scallywag path.
Human appears to be locked into a game of whack-a-mole with the fraudsters. Although traffic associated with Scallywag declined 95% from a peak of 1.4 billion bid requests per day, in early April, new cashout sites were launched and soon began to accrue visitors.
