DeceptionAds generates over 1 million daily impressions through 3,000 websites and fraudulent CAPTCHA pages.

Cybersecurity researchers have uncovered a previously unreported element of ClickFix-style attacks that exploit a single ad network service in a malvertising-driven campaign, referred to as DeceptionAds, aimed at stealing sensitive information.

“This campaign relies entirely on a single ad network for distribution, highlighting the core principles of malvertising. It delivers over 1 million daily ad impressions and has resulted in thousands of victims losing accounts and money through a network of over 3,000 content sites driving traffic,” stated Nati Tal, head of Guardio Labs, in a report shared with The Hacker News.

Recent analyses by cybersecurity firms reveal that these campaigns often redirect users of pirated movie websites and similar platforms to fake CAPTCHA verification pages. These pages instruct users to copy and run a Base64-encoded PowerShell command, ultimately deploying information stealers like Lumma.

Furthermore, these attacks are no longer linked to a single threat actor. Proofpoint has recently reported that multiple unidentified threat groups are employing this sophisticated social engineering tactic to deliver remote access trojans, stealers, and post-exploitation tools like Brute Ratel C4.

Guardio Labs traced the campaign’s origins to Monetag, a platform promoting various ad formats for monetizing websites, social media traffic, and Telegram Mini Apps. Threat actors have also utilized tools like BeMob ad-tracking to conceal their malicious activities. Monetag is additionally identified by Infoblox under the aliases Vane Viper and Omnatuor.

The campaign operates as follows: threat actors posing as website owners register with Monetag, redirecting traffic to a Traffic Distribution System (TDS) controlled by the malvertising ad network, which ultimately leads users to a fake CAPTCHA verification page.

“Instead of directly linking to the malicious CAPTCHA page, attackers provided a legitimate-looking BeMob URL to Monetag’s ad management system,” explained Nati Tal. “This tactic exploited BeMob’s credibility, making it harder for Monetag to detect and block malicious content. The BeMob TDS then redirected users to the fake CAPTCHA page, hosted on platforms such as Oracle Cloud, Scaleway, Bunny CDN, EXOScale, and Cloudflare’s R2.”

After a responsible disclosure, Monetag removed over 200 accounts associated with the threat actors, and BeMob took down accounts used for cloaking. However, evidence suggests the campaign resumed as of December 5, 2024.

These findings highlight the critical importance of stronger content moderation and stricter account verification to prevent abuse.

“From fake publisher sites promoting pirated or clickbait content to complex redirect chains and cloaking techniques, this campaign demonstrates how ad networks intended for legitimate use can be exploited for malicious purposes,” Tal added.

“This creates a fragmented system of accountability, with ad networks, publishers, analytics platforms, and hosting providers each playing a role but often evading responsibility.”