ScamClub spreads fake McAfee alerts to ESPN, AP, CBS sites

Malwarebytes said the malicious affiliate behind the fake virus alerts and other malvertising attacks has been flagged many times over the years, but McAfee has yet to take action.

A notorious malvertising actor known as ScamClub has infected some of the most widely visited news sites with a bevy of fake McAfee virus alerts, according to new research from Malwarebytes.

In a blog post Thursday, the antimalware vendor detailed how ScamClub's latest malvertising campaign has spread to mobile news sites for companies such as the Associated Press, ESPN and CBS. The campaign redirects visitors from those mobile news sites to fake virus alerts delivered by "a malicious McAfee affiliate."

Malvertising schemes typically involve threat actors masquerading as legitimate advertisers or marketing affiliates, then using commercial ad networks and platforms to serve malicious ads or redirect users to attacker-controlled domains. In this campaign, the unidentified affiliate directs users to a fake McAfee antivirus scanner -- which is a type of scareware -- hosted at the domain systemmeasures[.]life.

Malwarebytes noted in the blog post that Mastodon user Blair Strater spotted the campaign earlier this month while on the Associated Press' AP News mobile site. Strater was redirected from the site to the fake McAfee antivirus scanner, and on some occasions, he was eventually forwarded to an authentic McAfee checkout page. In a follow-up post, he speculated that the threat actor behind the domain was part of McAfee's affiliate program, "which makes them complicit in malicious scareware takeover ads."

The affiliate was previously reported for abuse, according to Malwarebytes. In a tweet on Sept. 27, YouTube personality and software engineer Jim Browning, who tracks and exposes scams, flagged the affiliate -- identified only as "affid=1494" -- for a different McAfee campaign involving fake subscription expiration alerts.

A company representative responded to Browning via the McAfee Help account, stating, "McAfee takes reports of these activities seriously as a threat to both our customers and brand and we work to stop such activities when we are made aware of them. Thank you for bringing this to our attention." However, Malwarebytes said in its report that the affiliate's activity "continues unabated."

Jérôme Segura, senior director of threat intelligence at Malwarebytes, said researchers were able to identify the malicious affiliate through only its ID number, affid=1494, in the landing pages' URLs. However, he said this affiliate has been engaged in malicious activity for years, citing a tweet from September 2020 in which the McAfee Help account said a related user complaint had been sent to the company's legal team.

"As far as we can tell, this affiliate has not been banned yet. We also reported it on several occasions," Segura told TechTarget Editorial.

UPDATE 12/4: A McAfee spokesperson told TechTarget Editorial that the malicious affiliate had already been removed prior to the publication of Malwarebytes' report.

"McAfee takes affiliate fraud very seriously, and should an affiliate partner violate our policy agreements, we act quickly to remove them," the spokesperson said in a statement. "In this instance, on 11/20, we identified the affiliate in question as violating our policy, and this partner was swiftly removed from our program on 11/21. The Affiliate ID mentioned is an internal tracking parameter for our program and is not specific to any one single affiliate partner, hence why the ID itself is still visible, even when the partner is removed."

ScamClub connection

ScamClub has been active since at least 2018. Ad security vendor Confiant first observed the threat group that year in a massive browser hijacking campaign that redirected iOS users to scam pages -- including fake gift cards and adult content -- that contained malware. Confiant found that ScamClub had hijacked approximately 300 million browser sessions in just a 48-hour period.

In the current fake virus alert campaign, Malwarebytes researchers found a malicious domain previously used by ScamClub that was connected to the systemmeasures[.]life landing page. Researchers also detailed how ScamClub's JavaScript payload uses obfuscation techniques such as randomly changing variable names to evade detection.

In addition, Malwarebytes noted that ScamClub's JavaScript code was previously hosted on Google Cloud services, but was moved to Microsoft's Azure CDN. Researchers found that ScamClub abused at least 16 different digital ad exchanges in the campaign through real-time bidding.

According to the blog post, Malwarebytes for Android protects users from this malvertising campaign, but iOS users might be more vulnerable. "ScamClub is a good example of targeting a big market segment, Mobile Web, where security software is often an afterthought, in particular on iOS, in part due to restrictions imposed by Apple," the report said. "Clearly, malvertising is flourishing on Mobile and users are just as likely, if not more, to get tricked into downloading malware or get scammed."

Segura said because Apple does not allow third-party security software to have full control over iOS mobile devices, the options for protection are limited. "This is part of Apple's built-in protection, which does tend to make users safer -- i.e., walled garden -- but also won't let software vendors use all the product features they have," he wrote in an email.

Rob Wright is a longtime technology reporter who lives in the Boston area.

Dig Deeper on Threat detection and response

Enterprise Desktop
Cloud Computing