Malvertising campaigns linked to ScamClub redirected readers of top sites (AP, ESPN, CBS) to fake security alerts and malicious affiliates. The operation blended real-time bidding with obfuscated JavaScript and cloud hosting to evade detection and sustain malicious redirects. #ScamClub #AssociatedPress #ESPN #CBS #trackmaster #systemmeasures.life
Keypoints
- ScamClub has a long-running malvertising presence and was behind high-profile redirects affecting major publishers including Associated Press, ESPN, and CBS.
- The campaign leveraged real-time bidding (RTB) in ad exchanges to deliver fake antivirus/malware alerts, not as a hacked site but via malicious ads.
- The landing page at systemmeasures.life redirects visitors to an affiliate; the page is not McAfee itself despite the appearance of a McAfee-related prompt.
-
- Obfuscation and evasion techniques are used, with JavaScript that obfuscates variable names, and hosting moved from Google Cloud to Azure CDN.
- Malvertising campaigns also target mobile users, with Malwarebytes for Android offering protection against this specific campaign.
- The top-site campaign peaked around November 19, while smaller-site campaigns persisted via vulnerabilityassessments.life domains.
MITRE Techniques
- [T1189] Drive-by Compromise – Malicious ads delivered through real-time bidding to redirect users to a malicious landing page; ‘domain name systemmeasures[.]life … is the landing page that redirects to one of its affiliates’.
- [T1583] Acquire Infrastructure – The malicious JavaScripts moved from Google Cloud hosting to Azure CDN, illustrating a shift in infrastructure used by the campaign; ‘malicious JavaScripts were hosted on Google’s cloud but they have now moved to Azure’s CDN’.
- [T1027] Obfuscated/Compressed Files and Information – The actors use JavaScript obfuscation with changing variable names to evade detection; ‘obfuscation with changing variable names’.
Indicators of Compromise
- [Domain/URL] ScamClub landing pages and related domains – systemmeasures.life, xyzcreators.xyz, and other landing pages (example: systemmeasures.life).
- [JavaScript Hash] ScamClub JavaScript hashes – c01716e23f633b206147efbe70fb37945e3857d6575fd088ea50106fb541cf1e, 899cbfbd676159201b2281d9e0e66f3ac200ac58b674375bde04083ff87650ad, and 13 more hashes.
- [Redirectors] Redirector domains – trackmaster.cc, vulnerabilityassessments.life, and other listed domains (e.g., protectsystemtools.life, securitypatch.life, real-time-system-monitoring.life, etc.).
- [IP] 34.74.68.195
- [URLs/Paths] ScamClub URL patterns – octob.azureedge.net/oc.js, lzi.azureedge.net/lz.js, tinlc.azureedge.net/pt.js, bm-rb.azureedge.net/rb.js, foluo.azureedge.net/fo.js, vpv-ger.azureedge.net/VpaidVideoAd1.js.