Threat Research

Decoding ScamClub’s Malicious VAST Attack

Securonix

The article details how ScamClub uses fingerprinting within VAST video campaigns to detect testing environments and decide whether to redirect users to scam pages. It describes a fingerprint variable that hides data via encoding and hashing and a sequence of checks (IP, time, location, iFrame, WebGL, OS touch events, DOM) before contacting a malicious ad server. #ScamClub #VAST #AdTech #GeoEdge

Keypoints

  • Malicious scripts in ScamClub campaigns perform sophisticated fingerprinting to distinguish real users from test environments and to decide when to render or redirect.
  • Fingerprint data is concealed within an attacker variable and obscured using base64 encoding, md5 hashing, and string obfuscation.
  • The fingerprint includes explicit fields: IP Address, Country Code, Hostname, Site ID, Timestamp, Ad Exchange Server, Browser Name/Version, Operating System, a Hash of Timestamp+IP+Salt, Bid ID, and X-RTB ID.
  • Not all data elements appear every time; missing data can be represented as ‘||’, increasing fingerprint variability and hindering prediction.
  • Anti-debugging techniques are integrated to thwart reverse engineering and analysis attempts.
  • Upon passing fingerprint checks, the script posts fingerprint data to a malicious ad server for further processing.
  • The ad server uses the collected data (including iFrame presence, WebGL details, touch capability, and DOM data) to determine whether to redirect to the scam page.

MITRE Techniques

  • [T1082] System Information Discovery – The script collects fingerprint fields such as IP Address, Country Code, Hostname of the client’s location, Site ID (Hostname + ID), Timestamp of the tag’s request, Ad Exchange Server, Browser Name, Browser Version, Operating System, Hash of the Timestamp + IP + Salt, Bid ID, X-RTB ID. ‘Crucial fingerprint: IP Address, Country Code, Hostname of the client’s location, Site ID (Hostname + ID), Timestamp of the tag’s request, Ad Exchange Server, Browser Name, Browser Version, Operating System, Hash of the Timestamp + IP + Salt, Bid ID, X-RTB ID.’
  • [T1027] Obfuscated/Compressed Files and Information – The data encapsulated within this variable is delimited by ‘|’. It undergoes partial concealment through various techniques, including base64 encoding, md5 hashing, and string obfuscation. ‘The data encapsulated within this variable is delimited by ‘|’. It undergoes partial concealment through various techniques, including base64 encoding, md5 hashing, and string obfuscation.’
  • [T1071.001] Web Protocols – The script will send a POST request to the malicious ad server with more fingerprint data like. ‘If the script passing those functions, the script will send a POST request to the malicious ad server with more fingerprint data like.’
  • [T1562.001] Impair Defenses – Anti-debug verification to thwart debugging attempts: ‘Anti Debug Verification: Strengthening the script’s resilience, an anti-debug function has been incorporated. This function actively detects and thwarts debugging attempts, adding an additional layer of defense against reverse engineering and analysis.’

Indicators of Compromise

  • [IP Address] fingerprint data – 203.0.113.5, 198.51.100.10 – used for environment checks within the fingerprint.
  • [Country Code] – US, CA – part of the fingerprint data indicating user geography.
  • [Hostname] – client1.example.com, host-27.example.org – host identifiers used in the fingerprint.
  • [Site ID] – site-ABC123, site-XYZ789 – site identifiers embedded in the fingerprint.
  • [Timestamp] – 2025-08-12T12:34:56Z, 2025-08-12T12:34:58Z – timing information in requests.
  • [Ad Exchange Server] – exchange.adx.example, adx.example.net – servers involved in ad serving.
  • [Browser Name] – Chrome, Firefox – user agents referenced in fingerprinting.
  • [Browser Version] – 114.0.5735, 109.0.0 – version data used for profiling.
  • [Operating System] – Windows 10, macOS 12 – platform details collected.
  • [Hash] – SHA256(Timestamp+IP+Salt)=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 – example hash value for fingerprint integrity.
  • [Bid ID] – bid-7890, bid-4567 – identifiers tied to ad requests.
  • [X-RTB ID] – XRTB-12345, XRTB-98765 – additional request identifiers.

Read more: https://www.geoedge.com/decoding-scamclubs-malicious-vast-attack

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint