ScamClub is a highly sophisticated and well-funded threat actor primarily motivated by financial gains. They exploit vulnerabilities within the ad tech industry, particularly targeting web browsers and ad tech platforms. In September 2023, Confiant definitively linked ScamClub to WayTop International Advertising Limited in Hong Kong. Known for their advanced capabilities, ScamClub develops custom programs and codes to target various operating systems and web browsers. They prioritize operational security and have been credited with discovering zero-day browser vulnerabilities and introducing innovative attack methods. Since January 2023, ScamClub's activities have significantly increased, with a notable surge in attacks on DSPs, SSPs, ad platforms, and publishers, posing challenges to the ad tech landscape, and underscoring the urgent need for a coordinated takedown.
In September 2023, Confiant published a comprehensive threat intelligence report on ScamClub, which provided the evidence that led to an account level takedown against the threat actor known as ScamClub. The following article summarizes Confiant’s experience from this action, what we have learned from the account level takedown of that threat actor, and our plans to support our partners in the ad industry going forward.
ScamClub Phishing Attack Examples, Source: Confiant
ScamClub is a prolific threat actor deeply embedded in the ad tech industry's supply chain, employing a strategy of numerous small-scale thefts to spread the impact across a wide range of users. They specialize in offering malvertising-as-a-service (MaaS) to place phishing ads that lure users into criminal scams. While they're not directly involved in the criminal attacks, they facilitate them by compromising ad tech systems. Their activities contribute significant revenue to the criminal ecosystem, with our conservative estimated profits from victims exceeding $8.5 million in the first half of 2023 published in our Threat Intelligence report, and potentially surpassing $50 million for the year. This underscores the sophisticated evolution of malvertising and its substantial impact on victims. The total monetary pain inflicted on the victims is a multiple higher because ScamClub is only one layer of this kill chain and multiple other criminal organizations profit too.
The effects of ScamClub malvertising include:
ScamClub operates as a prominent malvertiser, often leaving traces of their activities. However, the failure to effectively combat major threats like ScamClub lies in the inadequate sophistication of ad tech security companies. These companies focus on blocking individual ads that violate security rules, rather than addressing the larger issue: the criminal networks behind malvertising. The emphasis on blocking ads distracts them from targeting the root cause—the threat actors' access to the ad tech supply chain. This results in a futile game of whack-a-mole, allowing malvertisers to continue their deceptive activities unchecked.
Three types of actions that the ad industry can take to protect from this type of threat actor, from least effective to most effective:
Since its inception, Confiant has a history of “firsts” by raising the bar above the status quo of the ad tech industry. A few of Confiant's market-leading examples:
Confiant, a forerunner in ad tech security, has consistently set new benchmarks in real-time ad blocking, in-auction bid response validation, and malvertising threat intelligence. The company's dedication to enhancing industry standards led to a strategic takedown of ScamClub, leveraging in-depth forensic analysis and collaboration with industry partners. This approach not only disrupted ScamClub's operations but also set a precedent for addressing malvertising at its source, rather than merely intercepting its manifestations. The first step was a technical takedown action against those servers.
The takedown, focusing on both ScamClub's server infrastructure and its account-level access within the ad tech supply chain, marked a significant victory. The immediate effect was a substantial reduction in ScamClub's malvertising traffic, temporarily cleansing the ad tech ecosystem of their influence. However, the real success lay in the collaborative effort and the strategic shift towards targeting the economic foundations of malvertising operations.
Confiant cyber threat team attributed ScamClub activity with high confidence to WayTop International. When we presented the findings and technical evidence to our cloud supply-chain partners they took swift action to take down ScamClub activity from their servers. That resulted in a 96% drop on September 26th, and then 100% drop on the following day. The action resulted in ad tech being completely free of ScamClub for the first time since 2018.
ScamClub Impressions 09.2023, source: Confiant
With the technical takedown action successfully completed, the clock started ticking on how long it would take for ScamClub to reestablish new servers.
Our supply chain action was anchored by a few key elements:
The action against ScamClub aimed not only to disrupt their operations but also to gauge the industry's response to clear evidence of criminal activity. Detecting such actors is challenging because they often appear as regular advertisers. So even though the criminal ad revenue is individually not desirable by legitimate companies, the onus is on the whole industry to adhere to that standard or the criminal activity sneaks in. It’s just too easy to accept the money first and only ask questions after (if ever).
Consistently and systematically identifying the bad signals like ScamClub’s ads amidst the noise of normal digital advertising activity is a non-trivial task that many competing solutions cannot accomplish. Establishing reliable visibility into programmatic ad linkages in ad tech and navigating between primary agents, secondary agents, and tertiary agents in the process is challenging due to several factors:
Addressing these systemic difficulties requires visibility and long term collaboration across the industry for data sharing and transparency, efforts that are slowly advancing.
Confiant reached out to 15 ad tech platforms before executing a technical takedown against ScamClub. These platforms were indirectly enabling ScamClub's activities. Confiant asked them to collaborate in disrupting ScamClub's access to their industry. Some platforms hesitated, as it meant acknowledging their revenue supported criminal activity. Only seven responded, with one denying involvement despite evidence. Internal conflicts, like revenue reductions and commission cuts, complicated their decisions. Six platforms engaged, some quicker than others, but all committed to rejecting criminally funded revenue.
By the time the technical takedown executed, several key links were severed and more were in review. Not enough to sustain lasting limitations on ScamClub once they surmounted the technical action, but enough to educate Confiant in how to make the supply chain disruptions more impactful in the future.
Confiant is dedicated to improving the ad tech landscape by thwarting threat actors' attempts to exploit users on premium ad sites. Following a successful takedown operation in September, Confiant is now doubling down on transparency and attribution within the online advertising ecosystem. To achieve this, we're enhancing infrastructure, investing in forensic ad tech analysis, and focusing on identifying the parties involved in threat actor supply chains. By gathering detailed forensic evidence and documenting account-level linkages, we aim to respond to attacks more swiftly and effectively. Our ultimate goal is to enhance transparency in the ad industry, enabling a shift from merely blocking ads to blocking access for threat actors.
The ad industry lacks a robust standard for demand verification, which is crucial due to rising global ad-based threats. Confiant's 2023 Annual MAQ reveals alarming statistics, with one in every 79 programmatic impressions showing significant security or quality issues, the highest rate since 2018. On average, one in every 384 impressions poses a security risk to users. Threat actors exploit the digital ad industry for criminal gain, necessitating industry-wide action for better protection. Confiant advocates for stronger demand verification standards to identify and address malicious buyers effectively. Threats extend beyond programmatic channels to social, search, video, native, and in-app advertising. With threat actors becoming increasingly sophisticated, urgent industry coordination is crucial to mitigate the growing problem.
The battle against ScamClub underscores the critical need for heightened vigilance, collaboration, and innovation in cybersecurity within the ad tech industry. As malvertising threats evolve, so must our strategies to combat them, ensuring a secure and trustworthy digital advertising environment for all stakeholders.
Confiant is prioritizing the rapid dissemination of crucial insights to combat criminally funded ad campaigns. Confiant aims to provide our ad tech partners with actionable information enabling them to cut off criminals' access to ad platforms. We're imploring the industry to take a firmer stance against criminal activity and empowering it to do so effectively.
Read the technical article on Medium, learn more about "ScamClub’s Deceptive Landing Pages" in our related article, or download the full report below: