Scamclub is running a massive campaign, tricking 300 million victims and counting.
On November 12th & 13th — just two weeks ago — a malvertising scam was mistakenly boosted by a legitimate ad exchange, and as a result, over the course of just 48 hours, 300 million users were redirected to shady phishing sites, mostly adult sites and gift card scam sites. The group perpetrating the attack has been nicknamed “Scamclub” after their consistent domain names that end in “starclub.com,” and they developed a special code that evades malware detection.
The malware actually “knows” when it’s being analyzed in a virtual environment and withholds its malicious redirects at those times. This “smart” function effectively fooled a legitimate ad exchange, allowing the malicious ads to be disbursed to hundreds of millions of users. 96% of the victims were targeted on their iOS devices, which cybersecurity experts believe was a deliberate tactic to avoid ad blockers that are common on so many desktops.
“These malvertising attacks have been happening for years, although it is true that the number redirected in this case is massive,” comments Luis Corrons, Avast Security Evangelist and resident expert on cybersecurity trends. “It makes sense to focus on iOS users, as there are no antivirus solutions available to them. Therefore, they are less protected, making the attacks more likely to succeed.”
The malicious ads have since been removed from the mainstream ad exchange, but they are still in rotation on smaller ad networks that have not yet discovered the issue. If you find any particular site has an ad that triggers a redirect down a rabbit hole of shady ads, close your browser immediately and stay away from that website for a day or so, long enough for the bad ads to cycle out.