- The researchers found a huge advertising fraud program called scalllyway
- The diagram monetizes the hacked sites through a series of redirects
- At its peak, there were 1.4 billion daily requests
Human cybersecurity researchers have identified a major advertising fraud operation that has taken advantage of people’s interest in hacking content to generate advertising revenues from non -monetisable content.
In an in -depth report, Human explained that hacked websites do not organize advertisements because they “would present themselves against most advertisers’ policies”. Instead, they associate hundreds of websites of websites (crooks, fundamentally) who deploy a set of four WordPress plugins on their assets.
These plugins are collectively named Scallywag, and they are designed to do a few things, but above all to load as many advertisements as possible, and make sure people stay until they make completely. There are a few tactics to slow down visitors, from the “please wait” button which turns into “Download now”, for false captors and other methods. The plugins are called Soralink (published in 2016), Yu Idea (2017), Wpsafelink (2020) and Droplink (2022).
Stifle the operation
After returning the ad, visitors were again redirected and allowed to download the hacked content they were looking for.
As Human discovered the operation, he had 407 areas and 1.4 billion fraudulent advertising requests – per day. It seems that strength is in number, because fraudsters have even made YouTube video tutorials, coaching of other people on how to join:
“These extensions reduce the barrier to the entry for a potential threat actor who wishes to monetize the content that would not generally be monetizable with advertising; indeed, several threat actors have published videos to coach others on the implementation of their own programs,” said Human.
The researchers moved in to report and block scalllywag traffic, and claim to have successfully succeeded. Traffic would have decreased by 95%, although the operation was not entirely dead, because the threat actors have turned domains and moved to other models of monetization.
Via Bleeping Compompute
