Fake Virus Alerts Scheme Infecting Major News Companies’ Sites

According to new research from a security software company, a notorious malvertising actor called ScamClub has infected some of the most widely viewed news sites with fake virus alerts using McAfee. The anti-malware vendor described how ScamClub’s latest malvertising effort has moved to mobile news sites for companies, including the Associated Press, ESPN, and CBS. Visitors to the mobile news sites are redirected to fake virus alerts issued by “a malicious McAfee affiliate.” Malvertising methods often include threat actors posing as legitimate advertisers or marketing affiliates and serving malicious ads or redirecting users to threat operator-controlled domains through commercial ad networks and platforms. The anonymous affiliate in the campaign directs users to a fake McAfee antivirus scanner, a type of scareware, located under the domain “systemmeasure[.]life.”

According to a blog from a security software company, a Mastodon user discovered the campaign while browsing the Associated Press’s APNews mobile site. Users were led from the site to a fake McAfee antivirus scanner and were eventually sent to a legitimate McAfee checkout page. The user claimed in a follow-up post that the threat actor behind the site was a member of McAfee’s affiliate network, which makes them complicit in malicious scareware takeover ads. The security software company stated that the affiliate was previously flagged for abuse. One YouTube personality and software engineer that analyzes and exposes scams flagged the affiliate, identified as “affid-1494”, for a different McAfee campaign that involved fake subscription expiration notices.

A McAfee Help Twitter representative responded to the YouTube user stating that McAfee take the reports of the activities very seriously as a threat to both the customers and the brand and works to prevent the activities when they’re made aware of them. However, the security software company stated in its report that the affiliate’s activities continued unabated. According to the security software company’s senior director of threat intelligence, researchers identified the malicious affiliate based solely on its ID number, affid-1494, in the URLs of the landing pages. The senior director, however, stated that the affiliate has been involved in criminal activities for years, citing a September 2020 tweet from the McAfee Help account, which stated a user complaint had been sent to the company’s legal team.

ScamClub has been operating at least since 2018. An ad security provider discovered the threat group in 2018 during a large browser hijacking campaign that routed iOS users to scam pages containing malware, including fake gift cards and adult content. The ad security provider discovered that ScamClub stole over 300 million browser sessions in just 48 hours. The security software company’s researchers discovered a malicious domain formerly used by ScamClub that was linked to the systemmeasure[.]life landing page in the current fake virus alert campaign. Additionally, researchers described how ScamClub’s JavaScript payload employs obfuscation tactics to avoid detection, including randomly changing variable names.

The security software company discovered that ScamClub’s JavaScript code was formerly hosted on Google Cloud services before being moved to Microsoft’s Azure CDN. Researchers discovered that ScamClub employed real-time bidding to exploit at least 16 different digital ad exchanges during the campaign. According to a blog post, one security software for Android protects users from malvertising campaigns, however, iOS users may be more vulnerable. One report stated that ScamClub demonstrates how targeting a big market segment, Mobile Web, where security software is frequently an afterthought, particularly in iOS, because of the restrictions imposed by Apple. Malvertising is thriving on Mobile, and users are more likely to get into downloading malware or get scammed. The senior director of threat intelligence stated that protection options are restricted because Apple doesn’t let third-party security software have full control over iOS mobile devices. It’s part of Apple’s built-in protection, which makes users safer, however, it won’t allow software vendors to use all the product features.

With more threat actors, including ScamClub, utilizing fake virus alerts in their malvertising schemes to target users and companies, it’s important to remain alert to the current threat landscape and have the latest version of anti-malware software on phones or desktops. At SpearTip, our cybersecurity awareness training educates individuals and organizations about best cybersecurity practices and provides the knowledge and skills necessary to protect their systems and data from cyber threats. Our training covers topics such as password security, phishing scams, social engineering, malware, data protection, and network security. By providing cybersecurity awareness training, organizations, and their employees can better understand the risks of the cyber landscape and develop impactful cybersecurity practices that can reduce the likelihood of cyberattacks. Cybersecurity awareness training is an essential component of any comprehensive strategy to protect sensitive information, such as personal data, financial information, or intellectual property, and to prevent data breaches, system downtime, and other negative consequences that can result from cyberattacks.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.