A huge online fraud operation is hijacking WordPress sites to send out 1.4 billion ad requests per day

5 days ago 2

Laptops showing website ads on a pink background

(Image credit: Shutterstock / Aa Amie)

Researchers found a huge ad fraud scheme called Scallyway
The scheme monetizes pirated sites through a series of redirects
At its peak, there were 1.4 billion daily requests

Cybersecurity researchers from HUMAN have spotted a major ad fraud operation that leverages people’s interest in pirated content to generate ad revenue from otherwise non monetizable content.

In an in-depth report, HUMAN explained pirated websites don’t host ads because they would “run afoul of most advertisers’ policies”. Instead, they are partnering with hundreds of website owners (scammers, basically) who deploy a set of four WordPress plugins on their assets.

These plugins are collectively named Scallywag, and they are designed to do a couple of things, but mostly to load as many ads as possible, and make sure people stick around until they fully render. There are a couple of tactics to slow visitors down, from the “please wait” button that turns to “download now”, to fake CAPTCHAs and other methods. The plugins are called Soralink (released in 2016), Yu Idea (2017), WPSafeLink (2020), and Droplink (2022).

Choking the operation

After rendering the ad, visitors are again redirected and allowed to download the pirated content they were looking for.

By the time HUMAN discovered the operation, it counted 407 domains and 1.4 billion fraudulent ad requests - per day. It seems the strength is in numbers, since the fraudsters even made YouTube video tutorials, coaching other people on how to join:

"These extensions lower the barrier to entry for a would-be threat actor who wants to monetize content that wouldn't generally be monetizable with advertising; indeed, several threat actors have published videos to coach others on setting up their own schemes," HUMAN said.

The researchers moved in to report and block Scallywag traffic, and claim to have largely succeeded. The traffic allegedly shrunk by 95%, although the operation is not entirely dead since threat actors rotated domains and moved to other monetization models.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Via BleepingComputer

Google blocked over 5 billion ads in 2024 as AI-powered scams skyrocketed
Take a look at our guide to the best authenticator app
We've rounded up the best password managers

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article