Decoding ScamClub’s Malicious VAST Attack

ScamClub, a notorious threat actor, has shifted its focus towards video malvertising assaults, resulting in a surge in VAST forced redirect volumes since February 11, 2024. According to GeoEdge security research, upwards of a dozen SSPs and DSPs have fallen victim to its infiltration, spanning multiple regions, notably the United States (60.5%), Canada (7.2%), the United Kingdom (4.8%), Germany (2.1%), Malaysia (1.7%), with the remainder distributed across other territories. Mobile devices dominate impressions, constituting 87.7%, followed by desktop at 10.5%, and tablet at 1.6%. Consoles, wearables, and smart TVs have also been targeted accounting for the remaining impressions.

ScamClub’s Assault on the AdTech Ecosystem

Since 2018, ScamClub has emerged as a persistent threat to the entire AdTech supply chain, penetrating SSPs and DSPs to access publishers and their audiences. Leveraging ad platforms, they execute sophisticated financial scam attacks, forcefully redirecting victims’ browsers from legitimate publisher sites to ScamClub’s landing pages. The escalation in it’s nefarious activities has peaked since December- this surge can be partly attributed to the customary new year CPM drop, providing an ideal ground for the threat actors to amplify operations.
Figure 1: 2024 ScamClub Impressions Graph

In this mutation of ScamClub attack, GeoEdge’s security team identified VAST tags with malicious intent. In 2008, the IAB introduced Video Ad Serving Templates (VAST) to address the increasing demand for video advertising. VAST employs an eXtensible Markup Language (XML) schema script to generate ad tags for video players, facilitating the transfer of information about the primary video ad slot.

Functioning as a communication intermediary between video players and ad servers, VAST ensures the smooth playback of video ads. It plays a pivotal role in delivering a seamless user experience and effectively shaping and distributing video ads.

Figure 2: VAST example

While threat actors once found video inventory financially out of reach, their tactics have evolved significantly. The vulnerability of video inventory served to web and mobile users is not the only concern; the broader CTV landscape also lacks adequate ad security controls, leading to significant gaps in audience protection.

ScamClub Attack Flow

Figure 3: ScamClub February Attack Flow

1. Creating the Malicious Script:

The initial phase involves crafting the malicious script, where crucial fingerprint information is strategically saved in an attacker environment variable external to the script. This environment variable, depicted in Figure 4, serves as a repository for essential data required for fingerprinting. 

2. Executing the Malicious Obfuscated Script:
With the script in place, execution follows, where the malicious and obfuscated code is deployed. This script systematically tests the client using a series of fingerprint functions, probing for specific attributes and configurations within the client’s environment.

3. Server-Side Fingerprinting:
Upon successful passage through the client-side fingerprint checks, the malicious script proceeds to the server-side fingerprinting phase. Here, an additional request is made to a Malicious ad server hosted on a private domain, such as “trackmenow[.]life.” The request includes URL parameters and, notably, DOM data through a POST request, contributing to an enriched set of fingerprinting information.

4. Redirect Code:
Following the server-side fingerprinting validation, the response from the POST request contains various mechanisms to initiate the redirect. This redirection code serves as a pivotal element, laying the groundwork for the subsequent steps in the malicious flow.

5. Redirect Chain Domain:
The domain obtained from the redirect code initiates a redirect chain, steering the client towards a deceitful destination—typically a fraudulent or scam page. This orchestrated redirect chain is the final step in the malicious flow, leveraging the acquired fingerprint data to tailor and execute a targeted redirection process.

This sequence of steps in the malicious flow illustrates a sophisticated and orchestrated approach, utilizing both client-side and server-side fingerprinting techniques to validate and redirect clients to a specified destination. The integration of these steps underscores the intricate nature of the malicious script’s design and its potential impact on users within the online advertising ecosystem.

Figure 4: The fingerprint information contained within the variable
alongside the creation of the malicious script.

The Fingerprint Information Inside the Attacker Environment Variable:

The data encapsulated within this variable is delimited by ‘|’. It undergoes partial concealment through various techniques, including base64 encoding, md5 hashing, and string obfuscation. The attacker employs additional characters to obscure the string, and the data’s order undergoes constant permutation.

Crucial fingerprint:

  1.  IP Address  
  2. Country Code
  3. Hostname of the client’s location
  4. Site ID (Hostname + ID)
  5. Timestamp of the tag’s request
  6. Ad Exchange Server
  7. Browser Name
  8. Browser Version
  9. Operating System
  10. Hash of the Timestamp + IP + Salt
  11. Bid ID
  12. X-RTB ID 

It’s noteworthy that not all data elements may be present at all times. Figure 4 illustrates instances where certain data is absent, denoted by ‘||’ without accompanying information. This variability in data completeness adds an additional layer of complexity to the fingerprinting process, making it more challenging to predict the exact structure and content of the embedded information.

Advantages:

  1. Important Fingerprint data The Malicious script will use this information later within the fingerprint functions.
  2. Block Testing Environment If this variable is absent, it indicates a test environment, and the script won’t render.

The Fingerprint functions used in the malicious script:

  1. IP Address Consistency: The script checks whether the IP address associated with the current request matches the one stored in the fingerprint data.
  2. Time Differential: Time is a critical factor in AdTech security. The script enforces a stringent time constraint, allowing only requests with a time difference of less than 60,000 milliseconds (or 60 seconds) to proceed. This temporal validation acts as a defense against reproducing the attack.
  3. Timezone Synchronization: Recognizing the significance of timezone information, the script ensures that the timezone in the current request aligns precisely with the one recorded in the fingerprint data.
  4. Location Fingerprint Verification: comparing the location data embedded in the fingerprint data with the dynamically retrieved current location. This meticulous check ensures that the location information remains consistent.
  5. Anti Debug Verification: Strengthening the script’s resilience, an anti-debug function has been incorporated. This function actively detects and thwarts debugging attempts, adding an additional layer of defense against reverse engineering and analysis

If the script encounters failures during execution, it will proceed to perform additional fingerprint functions, such as verifying security vendors.

If the script passing those functions, the script will send a POST request to the malicious ad server with more fingerprint data like:

1. IFrame Presence Check:
This method involves checking whether the ad is displayed inside an iFrame. If the ad is detected within an iFrame, it serves as an indicator that the script is operating in a specific environment. This check helps the attacker distinguish between real-world ad-serving scenarios and potential test environments or controlled setups.

2. WebGL Fingerprinting:
WebGL is a JavaScript API that allows for rendering interactive 2D and 3D graphics within a web browser. By extracting WebGL-related information, such as supported extensions and renderer details, the attacker gains insight into the capabilities and configurations of the user’s browser. This information can contribute to creating a unique fingerprint for the user’s device, enhancing the script’s ability to identify and track users.

3. OS Touch Event Check:
This method involves determining whether the user’s operating system supports touch events. The presence or absence of touch events can be indicative of the device’s nature (e.g., mobile or desktop). This information aids in refining the user’s device profile, allowing for more targeted and specific fingerprinting.

4. DOM Data Fingerprinting:

Fingerprinting based on Document Object Model (DOM) data involves extracting and analyzing various attributes and properties of the DOM. This can include details about the structure of the webpage, the presence of certain elements, and other unique identifiers. By comprehensively examining the DOM, the attacker can create a distinctive fingerprint that contributes to the overall identification of the user’s browsing environment.

These additional fingerprinting methods showcase the attacker’s sophisticated approach to gathering diverse and granular information about the user’s device and browsing context. Each method contributes unique data points to the fingerprint, enhancing the script’s ability to create a robust and distinctive profile for targeted identification and tracking within the ad tech ecosystem.

The malicious ad server utilizes this data to determine whether to redirect the client to the scam page.

ScamClub Malicious Video Campaign

Several months back, ScamClub initiated their assault through video VAST campaigns.

Figure 5: ScamClub Malicious Video Campaign

1.  VAST Integration
The VAST tag initiates the loading of a VAST XML file, containing a ‘MediaFile’ element. This element hosts a JavaScript file sourced from the AzureEdge/Cloudfront domain. Fingerprint information is passed as query parameters within this file. During this phase (Figure 6), the attacker refrains from filtering users, allowing a broad audience.

2. Response Content (Figure 7)
(a) The VpaidVideoPlayer properties seamlessly render the legitimate video ad

(b) Simultaneously, concealed within the response content is the malicious obfuscated script.

3. Server-Side Fingerprinting

4. Redirect Code

5. Redirect Chain Domain

Figure 6: The Malicious Script Hosted by Az

Figure 7: ScamClub Malicious Script

The main purpose of this VAST is to deliver the malicious content, there is no actual video content to present. When rendering this VAST we can only see the malicious script is loaded and the default video of Google player as it failed to render video content.

Figure 8: Google player default video
The first advertisement linked to ScamClub’s VAST attack

In the most recent variant of the ScamClub scam, the attacker has moved the hosting server for the malicious script to their own domain instead of Azure. Example URL:

hxxps://trackmenow.life/vtag/ft1.js?VUHa=1&HXbwq=1h8t5&bMit=1j9qylF2mOrq&VVXO=781c6a2553149ab83c561f10a2151&dWiq=allnovel.net&TAcZ=adsgard-cpm-rtb-vo&upiOi={client_ip}&msBWy=safari&dTeAp=ios&wXczw={subage}&CBKVK=RO&feoL=1x7y0y7o9e9n1x9a8m6j4m3n2&hGbg=43894&mOsAF=allnovel.net_4a3266fca0b6&pznfW=0579587625b92f9ef09c7753e1acf217

Now, there is a longer VPAIDAd properties script to render the ad (Figure 9)

Figure 9: The new script returns from ScamClub private domain

The updated edition includes a promotional content from McAfee, attempting to mimic a genuine advertisement, which leads to: hxxps://iabtechlab.com

Figure 10: Promotional content from McAfee
Second Ad linked to scamClub’s VAST attack

The difference between the ordinary scamClub attack vs VAST attack:
In VAST campaigns the fingerprint data is delivered on the URL during the request to the malicious script which allows the attacker to validate them on the server, while in the ordinary version they are in the previous script which forces the attacker to validate them on the client.

 

IOC:

All the domains delivered the VAST attack:

vo-av[.]azureedge[.]net
v-fa[.]azureedge[.]net
bn-vdo[.]azureedge[.]net
d3i45xa0npwdkr[.]cloudfront[.]net
zr-vd[.]azureedge[.]net
livd[.]azureedge[.]net
doazcw5q3y88m[.]cloudfront[.]net
v3-ky[.]azureedge[.]net
ftder[.]azureedge[.]net
trackmenow[.]life

TTPs (Tactics, Techniques and Procedures):

Tactics:

1. Malvertising through VAST ads:
The primary tactic involves embedding malicious functionality within VAST (Video Ad Serving Template) ads, exploiting the ad-serving infrastructure to reach a broad audience.

2. Evading after Legitimate Script:
A strategic tactic employed by the attacker involves evading detection by embedding malicious elements within VAST Definitions after the legitimate script execution. This method enhances the covert nature of the attack by blending malicious elements with legitimate ones.

Techniques:

1. VAST XML Exploitation:
The attacker leverages the VAST protocol, loading an XML file containing a ‘MediaFile’ element. This element hosts a JavaScript file from a seemingly legitimate AzureEdge/Cloudfront domain, disguising malicious intent.

2. Client-Side Fingerprinting:
Upon loading the VAST XML, the response content includes both legitimate VPAID (Video Player-Ad Interface Definition) properties rendering a video ad and concurrently, malicious obfuscated code housing fingerprinting functions. This technique enables the attacker to profile and uniquely identify users.

3. Server-Side Fingerprinting:
The attack incorporates server-side fingerprinting, initiated if the client passes the fingerprint functions. The malicious script then sends a request to a private domain (e.g., trackmenow.life), appending URL parameters and extracting DOM data through a POST request, enhancing the fingerprinting dataset.

4. Redirect Mechanisms:
Upon successful server-side fingerprinting, the script responds with redirect code. This includes various methods to initiate the redirection process, diversifying the attack strategy.

Additional Techniques:

1. Obfuscation:
The attacker employs code obfuscation techniques to deliberately make the malicious script more challenging to understand, analyze, and detect.

2. Base64 Encoding:
Base64 encoding is used to encode data, potentially for concealing or transforming sensitive information within the malicious script.

3. MD5 Hashing:
MD5 hashing is applied, possibly for hashing certain data elements within the fingerprinting process, adding another layer of complexity.

Safeguarding Against ScamClub

To safeguard video inventory from the current VAST attacks, constant scanning of all video assets is imperative. Stay informed about ongoing research and updates on this threat by accessing the provided link or contacting our team directly.

GeoEdge is the trusted cyber security and ad quality partner for publishers and platforms in the digital advertising industry. With more than a decade of experience, we’ve built solutions to prevent tomorrow’s threats, today.‎
NOT ALL MALVERTISING SOLUTIONS ARE CREATED EQUAL

Malvertising, the practice of sprinkling malicious code into legitimate-looking ads is growing more sophisticated. GeoEdge’s holistic ad quality solution has you covered.

TRUSTED BY:

450+ Publishers & Platforms