CyberWire Daily - Bot or not? The fake CAPTCHA trick spreading Lumma malware. [Research Saturday}
Episode Date: February 15, 2025Nati Tal, Head of Guardio Labs, discusses their work on "“DeceptionAds” — Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising." Guardio has uncove...red a large-scale malvertising campaign dubbed “DeceptionAds,” which tricks users into running a malicious PowerShell command under the guise of proving they’re human. This fake CAPTCHA scheme delivers Lumma info-stealer malware while bypassing security measures like Google’s Safe Browsing. Even after disclosure and takedown efforts, the campaign resurfaced—raising concerns about the effectiveness of existing defenses against ad-driven cyber threats. The research can be found here: “DeceptionAds” — Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try
DeleteMe. I have to say, DeleteMe is a game changer. Within days of signing up, they started
removing my personal information from hundreds of data brokers. I finally have peace of mind,
knowing my data privacy is protected. DeleteMe's team does all the work for you, with detailed
reports, so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan when you go to JoinDeleteMe.com slash N2K and use promo code n2k at checkout.
The only way to get 20% off is to go to join delete me dot com slash n2k and enter code
n2k at checkout.
That's join delete me dot com slash n2k code n2k. Hello everyone and welcome to the CyberWires Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down
the threats and vulnerabilities, solving some of the hard problems and protecting ourselves
in a rapidly evolving cyberspace.
Thanks for joining us.
How did they manage to go to such a large scale in such a short time?
That's Nati Tal, head of Guardio Labs.
The research we're discussing today is titled,
Deception Ads, fake CAPTCHA driving infostealer infections
and a glimpse to the dark side of internet advertising.
Because something else is going on
and we want to understand what and be able to maybe
in the future stop those kinds of things from in the beginning before they continue to propagate
in such scale.
So basically the fake capture is something that we were familiar with like a year ago, something like that.
It's actually a funny story because the fake capture like we see today used by threat actors
and all those bad guys and scammers all around started off as an educational rapport at GitHub for testing and for raising awareness by some of the community,
cybersecurity community members, some that we know, but I won't say names now.
Eventually, they saw it as a good opportunity to educate, and scammers just took it and said,
oh, that's great, let's just fork this repo,
change the title and that's it.
And the real deal behind it is again,
the payload itself, which is Luma Steeler
and some other variants of that.
But the interesting part of it, and this is what we also
focused on in our research, is more of the propagation. How you actually get
those fake captures to show, to pop up on users' computers, on their screens
at the first place and in such scale. And this is what was interesting for us,
because again, taking this kind of phishing page
out of a wrapper and duplicate it,
nothing innovative here,
but the real deal is to actually weaponize
in this kind of simple phishing page and in such scale.
Well, before we dig into some of the details of the work that you all did here,
for folks who might not be familiar with it, can you give us a little explanation
of how exactly this fake capture
Steeler campaign works?
Well, the phishing page itself, and this is why we also call it
fake capture, is basically a capture page.
Like we are already kind of used to seeing when we go to specific websites just to make
sure we are not bots or something like that.
And it's kind of our day-to-day when we enter those kinds of websites and are asked to make sure we
are human.
So sometimes you need to, I don't know, find the traffic lights on those pictures or some
other kind of stuff, or just click on a button and set it on and, okay, you're okay, you're
not a bot or computer.
And because we are so used to it, this is the exact point when scammers are entering
and using.
When you have your kinds of regular stuff you're doing all the time, search on Google
and click on the first result you get or enter in a website and ask to make sure you're doing all the time, searching on Google and clicking on the first result you get,
or entering a website and ask to make sure you're human.
This is where scammers are eager to enter and use
those kinds of activities.
Because you are used to it, it's OK if you get a capture.
Let's go on with it.
Let's just say that I want to see the website.
And this is exactly what they did.
Only that instead of just clicking on a button
or selecting those traffic lights,
you're asked to click on some buttons on your computer.
Again, it's a bit strange.
It's not like you are used to,
but for the regular user, it sounds legit.
Click on some buttons and then it's all okay.
But those buttons are not just any buttons.
Specifically targeting Windows systems.
If you click on Ctrl-R, you get the run command.
And if you click on Ctrl Ctrl V, you paste a payload they already placed in your keyboard
that is actually a one-liner code execution,
which with PowerShell or any other kinds of variants
we found lately.
So without even being aware,
you are executing code on your computer.
And what this code does, eventually after downloading a file and running some more commands,
but it's all done in the background, and you get yourself hit with a stealer.
And all your personal information accounts and everything, all is like in a matter of
seconds at the hands of the scammers. So you and your colleagues wanted to get to the bottom of this,
and I hate to be a spoiler,
perhaps a spoiler alert here,
but it all comes down to ad networks, doesn't it?
Yeah, eventually.
Again, nothing new here, of course,
because we already talked about in the last few years in other
researches by Gardeo, and not only us, of course, about abuses of any kind of ad network,
like Facebook itself, even, and Google search results that show up like fake pages of Slack and Notion and OBS even.
And all of this is not new.
But when we started analyzing specifically this campaign,
it was quite obscure to see that all of the flow,
all of the victims of this specific campaigns
come eventually from one single ad network.
And you're not used to see stuff like that.
Basically, threat actors try to propagate
from different aspects, by emails, SMSes, search results,
just SEO poisoning even.
But in this case, it was orchestrated entirely
by one ad network that we didn't know before.
And when we dug in and tried to analyze
the origin of this flow, it's like you're
opening a Pandora box, of course.
You realize that it's, again, it's one ad network,
but it's, and if you analyze the entire ad network,
you see that around, I don't know specifically,
but more than half of the ads
that it will eventually pop on your computer
are malicious in some way or not entirely legit.
And not only that, the publisher websites,
meaning the sites that monetize on their traffic
with this ad network,
they also share too much of their characteristics together,
meaning it sounds and feels like everything is orchestrated
from the beginning to the end.
Again, it's just me saying that.
I don't have the exact book in hand,
but we are working on that.
But again, you see so many publisher websites
that are more of the same,
mostly pirated content and video streaming and movies
and anime and of course adult content.
And all those websites are practically the same.
They look and feel the same.
We even found some repos in GitHub of those websites. Just fork it, change the specific tag for your convenience,
you know, of your specific ad network you're using,
and upload it, and that's it.
You have a site you can monetize on your traffic,
and all the ad networks there will practically
form the same actor.
In this case, the actor, not the threat actor,
is a company, an ad network that is eventually legit,
propeller heads that are very powerful and they walk all around the world,
and everything is legit and okay.
But we see sub-companies or small companies or different
brands that are behind the infrastructure and also the name of propeller heads that are
eventually used in many cases. I can't say most, I can't say it's intentional,
but they are used for propagation of malicious content at the end of it.
Yeah. Well, let's walk through it together step by step here.
I mean, can you take us through how is this ad network being used?
How do things end up in their network and then ultimately on our systems.
Can you take us through that journey?
Well, let's make it from the point of view of a publisher.
In the ad networks lingo, a publisher is a website that wants to monetize on their traffic.
So for an example, I am a website that want to stream movies.
Those movies are probably pirated and not,
I'm not Netflix.
But I want to monetize on traffic.
So I have a host, I have a domain
and I created some kind of website.
Or even if I look around I found some
templates already made for movies and streaming. So I upload this website and
now I want to to monitor on my traffic. So I go to any kind of ad network, I
register a user there and I add my website, my domain, to their system, set it up on my
main page or any other page of my website.
And basically that's it.
From that moment on, this civic ad network, in our case, in this research, it was an ad
network named Monetag.
So from this moment on, every visitor
that visits my websites, they get my content,
but also have a script managed and created by Monetag
running on their browser.
So what this script actually does is creating an ad zone,
meaning a specific zone for advertising on my website.
I choose if I want it to be a pop-up
or a pop-under in their lingo.
It used to be pop-under behind your website,
it's not working anymore.
Yeah, everybody hated those. Yeah, yeah.
Everybody hated those.
Yeah, yeah.
We did saw some people trying to bring it back on and try other techniques to create
those pop-unders.
Some made it, but again, this time Chrome is fast in fixing those kinds of bugs or exploitations.
So now we have pop-ups.
Again, it's not legit as well.
And you have pop-ups and you have push notifications and you have fake push notifications that
jump on top of your website. But anyways, from that moment on,
Monetarge is controlling my website
and presenting ads as I requested.
And in this case, the most hateful, I guess,
type of advertising is those pop-ups
that everywhere you click on the page,
a new tab is popping up with a different content from what you were looking for.
And what happens in this specific moment is a new tab is opened, it goes
to Monetar's infrastructure or traffic distribution system,ds like we call it.
Which is a list in this case of thousands of domains used specifically to trigger those kinds of advertisements.
What they do is try to fingerprint who i am the visitor what kind of computer I have, what kind of social networks I use.
They even try to load some resources from Facebook
and Twitter, X and stuff like that,
just to fingerprint who I am and what would be the most,
the perfect advertisement to show me in their case.
And from that moment, when they have their decision,
they're moving me on to their advertiser.
And the same, this monetized network as publishers,
the one that created those websites
and monetizing all the traffic,
and advertisers that show their creatives
and any kind of other advertisement
and ask those advertisements to be showed for visitors.
And from that moment on, an advertisement is selected
and we move on with redirects and other tricks
to show in this specific advertisement.
In the fake capture, specifically
in the fake capture campaign, it was more complex,
which is also something that we realized that is not there
for, I don't know, for statistics
or for other kinds of technicalities,
but specifically to try to obfuscate or to even
make it harder for analysts like us to realize something bad is happening or where this is
exactly happening.
So what they did is instead of using the endpoint, the fake
capture page URL, they were using some other, we call them
cloakers, other services that are, again, from the ad
industry, ad statistics, in this case, B-Mob, and made the
link for the advertisement to be a B-Mob created link,
blocking eventually the real URL of the fake capture.
So from Monacar to B-Mob, and again, the same occasion also there,
analyzing who is the visitor, etc., etc.,
and then eventually redirecting you to the fake capture page.
We'll be right back.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge, it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data and ensuring your organization runs smoothly and securely.
Visit threatlocker.com today to see how a default deny approach can keep your
company safe and compliant.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you
get security questionnaires done five times faster with
AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. So, one of the things you point out in the research is this is set up in a way that it
makes it harder to point the finger at any one particular organization.
I think in your research there are like four different
organizations who along the way of delivering this ad
all have a hand in what's going on here,
but they can all kind of point to each other and say,
no, it's not us, it's them, they're the responsible party.
Exactly.
And we call it the fragmented accountability
of the ad network system.
And this is exactly what makes it perfect for scammers.
Because again, ad networks, they are legit.
Everything is okay.
The entire ecosystem of the internet basically is based on advertisement.
You know, if it's free, you are the product.
So what they are using in this case is a long, long chain like we just talked about,
from the publisher website to Monetarq, to DirtDDS,
to BeamUp, to another Cloaker, et cetera,
and eventually to the host that
hosts this landing page, or in this case, the fake capture,
which is also a legit host.
In this case, even Oracle Cloud was used.
And Cloudflare itself in some cases.
So this long chain of accountability is what makes it harder for us, security researchers,
and basically the entire security community to be able to block those kinds of campaigns.
We tried that. One of the first things we did at Guardio was to collect all the data, understand exactly what is happening,
who are the actors in this chain, and contact them. So we contacted, it's a good example to see how
hard it is to actually get those kinds of campaigns down and for good. We contacted
and for good, we contacted Monetag. After a few days, they answered back.
We gave them all the URLs we see and all the data we have.
And indeed, they took it down.
They said that they had around 200 different accounts used
specifically for this campaign of advertisers. So this was one part of it.
Then we get two BIMAB that were used or abused in this case as well.
They also talked to us quite quickly,
a few days, like two days later,
and took down all their accounts as well.
We did see the campaign going down for almost a week,
which is great, of course, but,
and here comes the important part of it.
So we took it down.
First of all, it took us around a week of emailing
and you know, and it's not that simple to say to a company that
okay you have a customer that is abusing your system, I know this customer is paying you,
you have your obligation for that customer but you need to take him down.
It's hard to say that for a company. And you need to be very, to give
all the information, the real information, it's not always that simple to get this kind
of information. And this is why it took us a few days just to interact with Monetag in
this case. But in those few days, millions of people got those capture pages and probably 100,000 of them at least
actually have those stillers installed on their system and got infected.
So even though this is like the first part of it, the part that makes it harder to act quickly. And on the other hand, it was down for a week
or something like that.
It got back quite quickly on the same ad network again,
after a few days.
And again, we approached them and they took him down,
they're down, again, a few more accounts, et cetera.
But on a parallel path,
the threat actors realized,
okay, we now understand they got us on monotag.
No worries, we have like 100 other ad networks to use,
and they do have those 100 other ad networks like monotag.
And we quickly saw the same campaign, same pages,
even same hosts that we also approached them to take down those kind of pages.
Again, new accounts, new ad networks, and the campaign is right back.
It took them four days to get back to the same scale it was before.
Right. Well, I mean, without calling anyone out specifically here, I suppose there's
a lot of money to be made by turning a blind eye to this sort of thing.
Exactly. And this is also something that we suspect, of course. And again, I don't have the smoking gun just yet,
but this is a big industry and a lot of money,
a lots and lots of money in advertisements.
And again, not only in advertisement,
but also those threat actors,
they do, there is a reason why they are doing that as well.
And because they are persistent and the ad networks are
persistent and they want to continue their business as usual,
it's hard to actually report and take down those kinds of threats.
And this is also why, okay, we approach them just to see that everything is okay.
And it's our first approach to Monetarg in this case.
We wanted to see who are the people behind this company
and that everything is legit and okay.
But again, if not Monetarg, there are like hundreds of other names I can tell you, even
some new very funny names.
I have to mention them.
The guys from Infoblox that we also cooperated with them on this research.
And they are also working on those kinds of TDSs for years now.
And they just realized a new ad network,
even two ad networks were created out of the blue.
And one is called, it's all for all the
Breaking Bad Enthusiastics.
Los Poyos, one ad network, and Tacoloco with Co,
as the TLD of the domain. And great graphics, really great graphics and amazing websites for those Ad Networks.
But again, you look at those Ad Networks and you understand that it's just another fork of monetized stuff and other networks that are part of bigger
networks, just to be able to spread around different kinds of networks, different kinds
of obligations, accountabilities, just to keep the business running and not stopping. I mean, it reminds me,
I think we've all been in that situation where you're
using an ad blocker and you'll go to visit a site and it pops up and says,
so we see you're using an ad blocker,
please disable your ad blocker.
But this sort of research,
I think is a good reminder that ad blockers are security,
right? Because so many ads out there are malicious.
Yes and no.
And I'll try to answer that.
Well, again, also for us, by the way, any user of the internet,
if you block all advertisements for all the internet users
all around the world, there won't be any internet. So we need to remember that as well. But saying that,
as you can see, many ad networks are being abused. Even Google and Facebook are abused for
malicious content in scale. And some, I guess, again, no smoking gun yet,
are there specifically for those reasons,
because the big money is there.
But again, ad blocking is important.
But it's not only on ads.
So you will get this kind of malicious content from any kind of other path, email, SMS, posts on Facebook
on social, and whatever.
Also, specifically for Monetag, they
have created some quite a sophisticated obfuscation
for their code that makes it harder, much harder
on ad blockers to be able to block it.
And not only that, we mentioned also another phrase, TDS, traffic distribution system.
Again, it's a list of thousands and thousands of domains.
Those are the domains that those ad blockers need to block,
any kind of request for those domains.
But those domains are changed and regenerated
on a daily basis.
So if you have an ad blocker, it will work on some of the sites.
A day later, most of the sites, it won't work on them.
They're already using different domains.
They know what they're doing in this case.
Right, right.
So you need to have also blocking those kinds of TDSs.
Also block the actual malicious content.
And most importantly, and this is what is our holy grail here
at Guardio, not only block a content specific because they can
change it and make many variants,
like a few minutes later and you won't block it.
Don't fingerprint malicious content, it won't work.
Also, don't fingerprint domains,
because domains change all the time.
What we do is mostly look at the flow.
Where you get this information from, where you get this pop-up from, what you did before,
what you're doing after.
Because we know how threat actors work and where they want to eat their victims and pinpoint
the specific area where it's the best place to place this kind of
fake capture, for example.
We look at the flow and then we can block these kinds of anomalies even without knowing
what is the malicious content at the end. Our thanks to Nati Tal from Guardio Labs for joining us.
The research is titled Deception Ads.
Fake CAPTCHA driving InfoStealer infections and a glimpse to the dark side of Internet
advertising.
We'll have a link in the show notes.
That is Research Saturday brought to you by N2K CyberWire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to
cyberwire at n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliot Peltsman
and Trey Hester. Our executive producer is Jennifer Iben. Peter Kilpey is our publisher, We'll see you back here next time.
Hey everyone, grab your favorite bug and put the kettle back on the stove
because afternoon Cyber Tea is coming back. This season, I am joined by
an all-star team of thought leaders and
industry experts to dive into
the critical trends that are shaping the future of cybersecurity.
We will explore how these technologies are revolutionizing the way we work,
the way we live, and the way we interact with the world around us.
As always, we will be bringing you thought-provoking discussions and fresh perspectives on what
is driving the future of cybersecurity and what leaders can do now to protect their teams
tomorrow.
New episodes will be coming to you in February, every other Tuesday, so subscribe now wherever
you get your favorite podcasts.