You may have noticed over the last couple of weeks that some of your favorite websites — including PJ Media and Instapundit — have been plagued by rogue pop-up ads and redirects to spammy sites. Hundreds of millions of web sessions have been hijacked by a cyber-criminal group called the ScamCub, with millions of users being directed to gift card and adult website scams.
Typically, users click on a link at a trusted website and are instantly redirected to a site that displays a pop-up message announcing that the individual has won a gift card or other prize. The scammers do this by placing malicious code inside online ad units and hijacking U.S.-based iOS users to redirect them bogus sites. ScamClub then attempts to collect users’ personal and financial data.
“In this particular case,” ZDNet reported, “the code used by the ScamClub group hijacked a user’s browsing session from a legitimate site, where the ad was showing, and redirected victims through a long chain of temporary websites, a redirection chain that eventually ended up on a website pushing an adult-themed site or a gift card scam.”
Jerome Dangu, the co-founder of cybersecurity firm Confidant, explained the nature of the attack to ZDNet. “On November 12 we’ve seen a huge spike in our telemetry,” he said, noting that Confidant first detected the malvertising in August. “The difference is the volume,” Dango said. “One of the reasons for the November 12 spike is that they were able to access a very large ad exchange. Previously they only had access to lower reputation ad networks which limited their visibility on premium websites.”
We first noticed the issue at PJM on or around November 8, though the scope of the problem was limited at that time. It escalated over Thanksgiving weekend, when we began receiving an influx of reports from readers. Here are a couple of examples we’ve seen on PJM and Instapundit:
If you’ve been affected by these ads, we profusely apologize. We understand that they’re terribly aggravating and intrusive and result in an unpleasant user experience. We’re aggravated too. I assure you our tech and ad folks are working overtime to rid our site of the malicious ads.
Dango wrote in a blog post at Confidant that security vendors have been slow to detect the attack. “The latest domain used in the scheme (luckstarclub.com) has been flying under the radar for weeks (not detected by either Google SafeBrowsing or VirusTotal),” he wrote, adding that the malvertising is:
- Served through a top 5 advertising exchange – 57% of our publisher clients working with this ad exchange were impacted.
- Targeting United States visitors (99.5% of hits)
- Targeting iOS devices (96% of hits)
iOS users are disproportionately affected because they don’t typically use ad blocking software on their devices.
“It’s significant that such a high scale operation is able to persist with just 2 domains over such a long period of time,” Dangu told ZDNet.
The day after the November 12 spike, the malicious ads were removed by the high-profile ad exchange. The malvertising attacks continue, however.
“We’ve continued to see activity, to the scale of 300k hits per day, so the attacker is still active but back to its usual lower visibility ad networks,” Dangu said. “We expect they’ll continue to be active for the foreseeable future.”
“The landing page domains (hosting scams or adult content) have been very persistent,” he added. “This group is really good at evading and they use multiple fast-changing redirection chains, but eventually always lead to one of those ‘starclub’ domains.”
“It’s significant that such a high scale operation is able to persist with just 2 domains over such a long period of time,” said Dangu.
While we haven’t yet completely resolved the issue, our ad folks do recommend that users clear their browsing history and cookies to try and limit the impact. Please know that we take these problems very seriously. We’re grateful for you, our readers, for choosing PJM and Instapundit, and would appreciate your patience as we work to get this fixed.
Follow me on Twitter @pbolyard.