Cybersecurity Awareness Month is coming to a close, but scam season is just getting started.

Every year, we see a surge of malvertising activity around the holidays. In fact, the weeks leading up to Black Friday tend to be the most active time of the year for fraud of all kinds.

But this year, this spike began early with the re-emergence of a notorious and prolific holiday threat actor: eGobbler.

Confiant has been tracking and thwarting eGobbler since 2019. Named for the high volume of impressions their scams generate—we’ve estimated over a billion people have been affected—eGobbler has evolved their attacks over time.

In 2019, they exploited browser vulnerabilities in Chrome and Safari to deliver scams to millions of users. These highly targeted attacks often occurred during weekends and high-traffic periods when ad security staff might be off. They used highly sophisticated TTPs like Chrome & WebKit bugs, session hijacking, auto redirects and highly targeted to deliver malicious content. The harm to users was typically phishing attacks. At their peak, they were a persistent threat across multiple platforms.

In 2021, eGobbler shifted to investment scams, using fake, celebrity-endorsed clickbait images to lure users into fraudulent schemes. Similar to FizzCore, their approach featured "beaten-up celebrity images" and was highly regionalized. We suspect eGobbler may have "borrowed" this concept from FizzCore, possibly after we documented it.

After a quiet period in 2022 and 2023, eGobbler resurfaced earlier this year. On May 15, 2024, we detected their return, marked by a surge of "beaten-up celebrity images". Following another brief period of silence, they reappeared on Labor Day with similar imagery and other known eGobbler indicators. Meanwhile, reports indicate they were active on platforms like Facebook, as covered in this French-language investigation by Radio-Canada into international cryptocurrency fraud.

On October 15, coinciding with Indigenous Peoples' Day and Canadian Thanksgiving, eGobbler launched a new attack that affected over 2 million impressions in Germany, the Netherlands, the UK, and Sweden. This accounted for 3% of our global monitored traffic for several hours, and as much as 20% within those targeted countries. Given that our blocked data covers only a small sample of the industry, we estimate the broader market impact to be up to 20 times higher. As with previous eGobbler threats, our team moved quickly to neutralize the risk for our clients.

While their attacks have evolved, one thing remains consistent: they're part of a wider celebrity ad scam trend that has recently accelerated with the widespread adoption of AI. These types of scams exploit a celebrity's likeness—sometimes using digitally altered images or deep fake videos—to steal account information or install malware on a consumer's device. Publishers who focus on celebrity content should be especially wary of these types of attacks, but any publisher without a closely monitored programmatic ad stack is vulnerable.

We'll continue to monitor the evolution of eGobbler and all the malvertisers as scam season heats up! Learn more about the threats we see: view the entire Malvertising Attack Matrix.