Brand impersonation and “cloaked” call-centers scale the scam up to more than 50,000 people. Scammers raking in upwards of $800 per victim.
Successful malvertising campaigns have two key components: cloaking and churn. Normal security efforts will look at a few websites coming from persuasive and commercial ads and conclude they’re probably legit businesses. Scammers exploit this fundamental flaw to scale up their campaigns all while managing to stay undercover among the sea of new domains that might look unrelated at first sight. However, like everything on the Internet, scale is the most expensive cost of every initiative. In code, comfortable scalability costs pattern matching, which in turn costs a scammer its most precious asset: its facade.
I’ll explain. Here’s a seemingly dumb line of code:
When combined with the string “Copyright”, it produces the all-too-familiar copyright at the bottom of every website with the current year: “Copyright 2023” is what it reads today.
Granted, there’s nothing too weird in having that on your landing page. But for us, it provides a key piece of intelligence that informs that this website is probably templated, i.e. it was made from a skeleton that ought to be replaced to fit someone’s specific needs. Many blogs, single-page business sites, and other small enterprises build sites that come from templates. In malvertising, combining template signals with other techniques reveals scale, and when ten websites, each of a different hotel, all look the same, it comes off as fraud.
And in fact, that’s how we came across this attacker. The ads themselves look oddly vague — “call for reservations”, “fast reservations”. No mentioning of brands or purpose. What am I reserving?
When engaged, victims are taken to templated hotel landing pages: ..
Support the originator by clicking the read the rest link below.
