All eyes are on Election Day in the United States, and familiar bad actors are taking advantage. On the eve of the U.S. elections, FizzCore–the patron saint of fake celebrity endorsed investment scams–launched a large-scale malvertising campaign targeting users across Germany. This latest campaign used deceptive ads using fake celebrity endorsements to lure users into fraudulent investment schemes. It also features a signature FizzCore strategy: timing attacks on high-news days to maximize engagement and impact.

We’ve been tracking FizzCore since 2019, when we first identified their signature celebrity endorsement clickbait campaigns. Unlike other bitcoin investment scams at the time, FizzCore didn't rely on the typical forced redirect malvertising attack, instead implementing a new technique to successfully evade ad quality reviews. Since then, FizzCore has been a persistent threat actor, launching similar attacks targeting web users across various European countries and inspiring a series of copycat attacks by now well-known threat actors, including the recently resurgent eGobbler.

Our systems first detected the malicious activity at 2:45 AM EDT, within minutes of its appearance and teh attack quickly scaled up to 5% of all global ad impressions monitored by Confiant and 20% of all impressions in the impacted area. By leveraging advanced cloaking techniques and exploiting the ad ecosystem, FizzCore managed to bypass ad controls and deliver malicious content directly to high-traffic German publishers. While real time blocking the attack for all the publishers and platforms integrated to Confiant, our team investigated and identified Google’s DV360 as the originating platform compromised by Fizzcore. We escalated the activity to Google and quick action resulted in full containment around 4:10 AM EDT.

Have you been affected by a fake celebrity endorsement scam? Try Confiant to see how we can help.