DeceptionAds Warning: New Malicious Ad Type Exploits Legitimate Services to Display Fake CAPTCHAs

Malvertising comes in many shapes and forms, but some are more dangerous than others. DeceptionAds is a new form of malvertising, where scammers use legitimate advertising platforms and ensure that their malicious sites avoid as much censorship as possible, allowing their bad ads to get up to 1 million impressions per day.

DeceptionAds abuses legitimate channels to distribute PowerShell malware

According to Guard.io, DeceptionAds is a fake CAPTCHA page that asks users to copy and paste a command to activate PowerShell malware. This attack vector is nothing new; the attack was reported in a McAfee discovery last October.

What makes this particular case notable is how it spread. To lure people into these fake CAPTCHA sites, the cybercriminals set up a system where they sent fake ads through Monetag, a legitimate ad network. Monetag has moderation tools to prevent attacks like this, but the cybercriminals tied themselves to a second legitimate service called BeMob, which was designed to perform ad tracking.

Of course, the criminals weren't really interested in implementing ad tracking on their fake sites. Instead, they passed the malicious site's BeMob URL to Monetag. Since BeMob was a trusted source, Monetag accepted the link and didn't flag it during moderation. This allowed the cybercriminals to display their malicious ads 1 million times a day on over 3,000 websites.

Fortunately, Guard.io reported these cases, and both Monetag and BeMob have removed the offending ads and removed the bad actors behind them. However, this provides insight into how malvertisers leverage official, legitimate channels to spread their sites undetected.

Fortunately, avoiding this attack is the same as all other malicious ads. By knowing what to look for when spotting malicious ads, you can spot fake ads and avoid clicking on them in the first place.

Marvin Fry

Update 20 December 2024