Security researchers have recently uncovered a new ad fraud network known as Scallywag, which has the ability to attract billions of weekly ad requests across hundreds of domains. This network is comprised of four WordPress modules that have been specifically designed to make it easier for threat actors to monetize illicit content through advertising.
According to researchers at security vendor Human, Scallywag functions by redirecting users from piracy catalog sites or URL-shortening service sites through intermediary cashout sites where threats actors display multiple ads before granting access to the promised pirated content or shortened URL. These cashout sites employ various tactics to slow down users and increase the number of ads that can be requested and displayed, such as requiring users to click buttons, solve CAPTCHAs, endure wait times, scroll through full pages, and navigate intermediary pages.
When cloaked, the cashout sites appear innocuous, often disguising themselves as benign blogs with no apparent connection to the original piracy or URL shortening domains. Most of the Scallywag cashout sites utilize a process called “deep linking” to decloak content, where a link on the catalog page redirects users to a webform that automatically submits and redirects them to the decloaked version of the desired page.
The campaign associated with Scallywag includes four WordPress extensions, three of which – Soralink, WPSafeLink, and Yu Idea – are sold by developers to individual threat actors, while Droplink is available for free behind its own Scallywag path. One of these extensions dates back to 2016, indicating that this network has been operating for several years.
Despite efforts to combat the fraudsters, Human has found themselves in a constant battle as traffic associated with Scallywag decreased by 95% from its peak of 1.4 billion bid requests per day in early April, only to see new cashout sites launched shortly after and gaining traction among visitors.
The existence of Scallywag highlights the ongoing challenges faced by security researchers and industry professionals in combating ad fraud networks that exploit loopholes in online advertising systems to generate revenue from illicit activities. As threat actors continue to adapt and evolve their tactics, it is imperative for organizations to remain vigilant and proactive in protecting their online assets and users from such malicious schemes. The discovery of Scallywag serves as a reminder of the importance of ongoing cybersecurity efforts and collaboration within the industry to address emerging threats and safeguard the integrity of online advertising ecosystems.