A sophisticated malvertising operation dubbed "DeceptionAds" has been discovered delivering over 1 million daily ad impressions through a network of more than 3,000 websites, security researchers revealed this week.
The campaign, uncovered by Guardio Labs, exploits a single ad network service to direct visitors to fraudulent CAPTCHA verification pages. These pages trick users into executing malicious code that deploys information-stealing malware like Lumma.
"This campaign demonstrates the core mechanics of malvertising by funneling massive traffic through content sites to steal user accounts and funds," said Nati Tal, head of Guardio Labs.
The operation leverages Monetag, an advertising platform that offers various ad formats for website monetization. Threat actors register as website owners on Monetag and use BeMob ad-tracking services to mask their malicious activities.
The attack flow begins when website visitors are redirected through a Traffic Distribution System operated by the malvertising network. Users then land on fake CAPTCHA pages hosted across multiple cloud services including Oracle Cloud, Scaleway, and Cloudflare R2.
Security researchers note that the campaign has evolved beyond a single threat actor, with multiple groups now adopting this social engineering technique to distribute remote access trojans and other malware.
Following disclosure to affected parties, Monetag removed over 200 accounts connected to the operation, while BeMob took down accounts used for cloaking. However, researchers observed the campaign resurging as of December 5, 2024.
The investigation highlights major gaps in content moderation and account validation across advertising networks. "This campaign reveals how legitimate ad infrastructure can be weaponized, creating a complex chain where multiple service providers inadvertently enable malicious activities while avoiding direct accountability," Tal explained.
Industry experts recommend strengthened verification processes and improved oversight of ad network participants to prevent similar abuse of advertising platforms for malware distribution.