A widespread malvertising campaign, dubbed DeceptionAds, has been uncovered, leveraging fake CAPTCHA pages to distribute the Lumma Infostealer malware. This operation exploits the digital advertising ecosystem at scale, causing thousands of victims daily to lose access to their accounts, personal credentials, and financial information. The campaign highlights significant vulnerabilities in ad network moderation and security practices.
Large-Scale Malvertising Campaign “DeceptionAds” Exploits Fake CAPTCHA to Deploy Lumma Infostealer Technical Overview
- Campaign Tactics
- Fake CAPTCHA Pages: Threat actors lure victims into executing Base64-encoded PowerShell commands under the guise of CAPTCHA verification.
- Malvertising Ecosystem: Malicious content is distributed via Monetag, a prominent ad network, and cloaked through services like BeMob, which complicates moderation.
- Scale: Over 1 million daily ad impressions are generated through 3,000+ compromised content sites, including pirated media platforms and clickbait websites.
- Malware Impact
- Lumma Infostealer Deployment: The malware targets banking credentials, social accounts, passwords, and personal files.
- Evasion Tactics: Malicious scripts hosted on cloud services like Oracle Cloud, Scaleway, and even Cloudflare evade detection and scrutiny by frequently updating payloads and obfuscation techniques.
- Infrastructure Abuse
- Ad Network Exploitation: Attackers use ad zones created by publishers and redirect traffic via Traffic Distribution Systems (TDS) to malicious CAPTCHA pages.
- Cloaking Mechanisms: Malicious campaigns leverage BeMob tracking services to conceal intent and avoid detection, further complicating content moderation efforts.
- Victim Demographics
- The campaign primarily targets users in search of free streaming content, pirated files, and clickbait articles, making its reach both broad and impactful.
What Our Threat Intelligence Team is Seeing
Microsoft Defender Antivirus
Microsoft Defender Antivirus detects threat components as the following malware:
- Trojan:Win32/LummaCStealer
- PWS:Win32/Lumma
Other Information Stealers that Defender detects:
- Trojan:Win32/Redline
- Trojan:Win32/Vidar
- Trojan:Win32/Raccoon
- TrojanDownloader:MSIL/AgentTesla
- Trojan:MSIL/NanoCore
- Trojan:Win32/Lokibot
- TrojanDownloader:MSIL/FormBook
- Trojan:Win32/Rhadamanthys
- Trojan:Win32/DarkGate
- Trojan:Win64/DarkGate
- Trojan:VBS/DarkGate
- Behavior:Win32/DarkGate
- Trojan:Win32/Delf
Microsoft Defender for Endpoint
Alerts with the following titles in the security center can indicate threat activity on your network:
- Information stealing malware activity
What We Suggest to Protect Against Large-Scale Malvertising Campaign “DeceptionAds” Exploits Fake CAPTCHA to Deploy Lumma Infostealer
- End-User Awareness: Educate users to avoid CAPTCHA prompts on suspicious websites or content sources.
- Endpoint Protection: Deploy robust endpoint detection and response (EDR) tools to monitor and block malicious PowerShell commands.
- Ad Network Accountability: Collaborate with ad networks to strengthen content moderation, enhance account validation, and ensure transparent reporting mechanisms.
- Blocking IOCs: Blocklisted domains, IPs, and URLs associated with the campaign should be implemented across firewalls and threat detection systems.
- For further details: Refer to research by Guardio Labs.
DIFEND WITH CONFIDENCE