Threat Research

Malvertiser Makes the Big Bucks on Black Friday

Securonix

Confiant reports a cookie-stuffing campaign by DatalyMedia that uses cloaking, hidden iframes, and multi-domain redirection to inflate ad conversions across programmatic platforms, with a Black Friday uptick. The analysis maps the actors, laundering traffic paths, GDPR/privacy concerns, and the campaign’s scale (about 125 million impressions in 2022). #DatalyMedia #TheBlueAffiliate #BadPublisherB #TradeTracker #Eficads #JustMediaGroup #JustClickMedia

Keypoints

  • DatalyMedia’s cookie-stuffing campaign spans multiple programmatic ad platforms with a notable uptick around Black Friday.
  • Cookie stuffing generates fake ad conversions by loading click URLs in hidden iframes during ad rendering.
  • The campaign uses cloaking and a two-path traffic model to launder fake conversions through publishers and affiliate networks while mimicking legitimate traffic.
  • Four entities are involved: Just Media Group (fka JustClick Media), Dataly Media, Eficads, and Tredia Solutions.
  • Confiant estimates roughly 125 million display ad impressions in 2022, with Black Friday volumes peaking at about 9x the daily average.
  • Privacy and GDPR concerns are prominent: 76% of cookie-stuffing ads targeted Europe, with rogue tracking pixels loaded without user consent and questionable vendor registrations.
  • Technical analysis shows cloaking tests, AWS-based test endpoints, and redirection chains through theblueaffiliate.net and Bad Publisher B to conceal target details.

MITRE Techniques

  • [T1059.007] JavaScript – The script execution includes a cloaking component that conditionally loads hidden iframes. ‘The script that DatalyMedia executes has a cloaking component that conditionally loads one or multiple hidden iframes.’
  • [T1189] Drive-by Compromise – Hidden iframes are used to trigger fake clicks as ads render. ‘The common way to generate these fake clicks is to surreptitiously load click URLs in hidden iframes inside the ad as it renders.’
  • [T1027] Obfuscated/Compressed Files and Information – Cloaking is used to evade detection. ‘To circumvent detection, DatalyMedia leverages cloaking.’
  • [T1071.001] Web Protocols – External endpoints and trackers are contacted via HTTP(S) requests (GET/POST) to track and route clicks. ‘GET https://dugqz5bb8j.execute-api.eu-west-2.amazonaws.com/t/get/…’

Indicators of Compromise

  • [Domain] Ad network / redirect domains – theblueaffiliate.net, lnk.theblueaffiliate.net, beautyworksonline.com, tudn.mx, thetop3.com, linkbux.com and other domains
  • [URL] Tracking / redirect endpoints – https://dugqz5bb8j.execute-api.eu-west-2.amazonaws.com/t/get/RVKTdRpig1AgtgNXoDRQd46L?mmid=1&siteId=276777&referrer=https://www.google.com/&exchange=cas&siteUrl=www.voici.fr&strategy=12607048&campaignId=1245138&creativeId=8521972&rn=4048973770536923350, https://lnk.theblueaffiliate.net/trk/RVKTdRpig1AgtgNXoDRQd46L/?c2=true&campaignId=1245138&creativeId=8521972&exchange=cas&mmid=1&referrer=https%3A%2F%2Fwww.google.com%2F&rn=4048973770536923350&siteId=276777&siteUrl=www.voici.fr&strategy=12607048
  • [URL] Redirect chain / postbacks – https://www.thetop3.com/uk/top-3-unique-gifts-for-your-soulmate/, https://www.linkbux.com/track/e266uWOnCOlkX6woQDCFs3dUTD57c2EajL_aOE9LBtEaNMDXGGuaAd0iCEANyHpwod2qxgTOd3maDVlg_c?url=https%3A%2F%2Fbeautyworksonline.com%2F&uid=63523bd176755c47d5ce7d9f-RL-246703
  • [Domain] Campaign landing / fraudware domains – elektra.mx, beautyworksonline.com, and related MFA-style domains

Read more: https://blog.confiant.com/malvertiser-makes-the-big-bucks-on-black-friday-637922cd5865