Malvertising Campaign Delivers Lumma Stealer Through Fake CAPTCHA Ads

Cybersecurity researchers at Guardio Labs have uncovered a large-scale malvertising campaign that distributes the Lumma Stealer malware through deceptive fake CAPTCHA verification pages. The campaign leverages the Monetag ad network to propagate over one million daily ad impressions across approximately 3,000 websites.

The Ad-Network ecosystem — Publishers monetizing on ad zones and Advertisers seeking impressions

The sophisticated operation, dubbed "DeceptionAds" by researchers, targets unsuspecting users browsing pirated content and streaming sites. The attack begins with strategically placed pop-up advertisements that redirect users to fake CAPTCHA verification pages designed to trick victims into executing malicious PowerShell commands.

Example of a full fake captcha malvertising attack flow including all services in use

The campaign's intricate mechanism involves using the BeMob ad-tracking service to cloak malicious intent, making it challenging for ad networks to detect and block the malicious content. By supplying a benign BeMob URL to Monetag's ad management system, threat actors effectively bypass initial content moderation efforts.

When users encounter the fake CAPTCHA page, a JavaScript snippet silently copies a malicious PowerShell command to their clipboard. The page provides seemingly innocent instructions for "verifying" their human status, which actually triggers the execution of the clipboard contents through the Windows Run dialog.

The fake captcha flow — forcing site visitors to unknowingly execute a PowerShell command

Once executed, the PowerShell command downloads and installs the Lumma Stealer, a sophisticated information-stealing malware capable of extracting sensitive data. The malware can compromise various browsers, steal cryptocurrency wallets, passwords, and personal documents, potentially leading to significant financial and privacy risks.

Guardio Labs reported the campaign to both Monetag and BeMob. Monetag responded by removing 200 associated accounts within eight days, while BeMob took action to stop the campaign in four days. However, researchers observed a quick resurgence, indicating the threat actors' persistence in exploiting ad networks.

The investigation highlights the vulnerabilities within the digital advertising ecosystem. Ad networks, publishers, and tracking services often share a fragmented responsibility that creates opportunities for malicious actors to distribute dangerous malware.

To protect against such attacks, cybersecurity experts recommend:

The DeceptionAds campaign serves as a stark reminder of the evolving tactics used by cybercriminals to exploit unsuspecting internet users through seemingly legitimate advertising channels.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: Here are the 5 most contextually relevant blog posts: