Major Malvertising Campaign Identified: 300 Million Browser Sessions Hijacked in 48 Hours

A major malvertising campaign is being conducted that is redirecting web users to phishing and scam websites. While malvertising campaigns are nothing new, this one stands out due to the scale of the campaign. In 48 hours, more than 300 million users have had their browsers redirected to malicious web pages.

The campaign was uncovered by researchers at cybersecurity firm Confiant on November 12. The researchers note that the actor behind this campaign has been tracked and was found to have been conducting campaigns continuously since August; however, the latest campaign is on a totally different scale. Previously, the scammer has conducted much smaller campaigns not involving tier 1 publishers.

The campaign is targeting mobile iOS devices, primarily in the United States. Users are forcefully redirected to a web page, which then redirects them to another website. Users are sent to a range of different sites, although mostly gift card scam sites and adult content.

The click-through URL appeared to be play.google.com with the ad masquerading as a legitimate Google Play app. The high volume of clicks is partly due to the scammer using a top 5 advertising exchange. Two of the landing pages used were happy.hipstarclub.com and happy.luckstarclub.com, the latter was not being detected as malicious on VirusTotal.

Some of the landing pages offered fake gift cards and prizes but were used to obtain sensitive information such as names, addresses, email addresses, and other personal data.

Confiant explained that around 60% of its customers were impacted by the latest campaign, which is now being blocked. Based on the 300 million redirects, and a conversion rate of 0.1% which Confiant say is conservative, the campaign could have claimed around 300,000 victims. The cost of the ads was calculated to be around $200,000.

Since each victim is likely to have resulted in a payment of a few dollars, Confiant suggests this campaign has earned the attacker around $1 million in just 48 hours.