- Researchers found a huge ad fraud scheme called Scallyway
- The scheme monetizes pirated sites through a series of redirects
- At its peak, there were 1.4 billion daily requests
Cybersecurity researchers from HUMAN have spotted a major ad fraud operation that leverages people’s interest in pirated content to generate ad revenue from otherwise non monetizable content.
In an in-depth report, HUMAN explained pirated websites don’t host ads because they would “run afoul of most advertisers’ policies”. Instead, they are partnering with hundreds of website owners (scammers, basically) who deploy a set of four WordPress plugins on their assets.
These plugins are collectively named Scallywag, and they are designed to do a couple of things, but mostly to load as many ads as possible, and make sure people stick around until they fully render. There are a couple of tactics to slow visitors down, from the “please wait” button that turns to “download now”, to fake CAPTCHAs and other methods. The plugins are called Soralink (released in 2016), Yu Idea (2017), WPSafeLink (2020), and Droplink (2022).
Choking the operation
After rendering the ad, visitors are again redirected and allowed to download the pirated content they were looking for.
By the time HUMAN discovered the operation, it counted 407 domains and 1.4 billion fraudulent ad requests – per day. It seems the strength is in numbers, since the fraudsters even made YouTube video tutorials, coaching other people on how to join:
“These extensions lower the barrier to entry for a would-be threat actor who wants to monetize content that wouldn’t generally be monetizable with advertising; indeed, several threat actors have published videos to coach others on setting up their own schemes,” HUMAN said.
The researchers moved in to report and block Scallywag traffic, and claim to have largely succeeded. The traffic allegedly shrunk by 95%, although the operation is not entirely dead since threat actors rotated domains and moved to other monetization models.
Via BleepingComputer
