Exploiting a Single Ad Platform for Wide-Scale Attacks

Security researchers have uncovered a new kind of attack, known as “DeceptionAds,” that depends on one main online ad network. This attack uses fake ads placed on over 3,000 sites to reach more than one million people every day. As a result, many users end up losing money or having their online accounts stolen.

You might be interested in: New Threat Exploits Windows UI Automation to Bypass Security

Fake CAPTCHA Checks Leading to Malware

These attacks target visitors who end up on websites that show pirated movies or other risky content. When users visit these sites, they are redirected to pages that appear to show a simple CAPTCHA test. However, these pages trick people into copying and running a piece of code. Once run, this code installs harmful software like the Lumma information stealer.

More Than One Group Behind These Threats

Recent reports show that different criminal groups are now using this social trick. They are not just spreading information stealers, but also remote access tools and even advanced hacking frameworks.

Tracing the Source: Monetag and More

The ad network known as Monetag, which claims to help website owners earn money through different ad types, was found to be at the center of this scheme. The attackers also used services like BeMob to hide their true intentions. Other security teams refer to Monetag as Vane Viper or Omnatuor, showing that it has been on the radar of various cybersecurity watchers.

How the Scam Works

First, the people behind the scam create publisher accounts on Monetag. They then use Monetag’s system to direct web traffic to a special redirect system. After that, users are sent to the fake CAPTCHA page. By first linking to a harmless BeMob link, attackers made it harder for Monetag to detect the real source of the bad content.

Platform Responses

After these findings became public, Monetag closed more than 200 suspicious accounts tied to the attacks, and BeMob also shut down the accounts used to mask the bad links. Still, the attackers have started their activities again as of December 5, 2024.

The Need for Better Screening

This situation highlights why it is so important for ad platforms to check who signs up and what they are doing. Without proper checks, criminals can abuse ad networks that were meant to be helpful tools. In the end, everyone involved—ad networks, publishers, tracking services, and hosting providers—must share the responsibility for keeping users safe.