The sophisticated scheme, recently disrupted by HUMAN’s Satori Threat Intelligence and Research team, exploited digital piracy through a collection of four WordPress extensions that redirect users through ad-laden intermediary pages before delivering the promised pirated content or shortened URLs. Threat actors use a set of WordPress extensions called Scallywag to reroute users from URL-shortening services or piracy catalog sites to one or more intermediary cashout sites, where they display a number of advertisements, and then back to the promised pirated content or shortened URL. Technical analysis revealed that most Scallywag sites achieved this cloaking behavior through deep linking, where the piracy catalog page includes links to webforms that automatically submit and redirect users to decloaked versions of the pages. A major ad fraud operation known as “Scallywag” has been generating a staggering 1.4 billion fraudulent ad requests daily at its peak through deceptive WordPress plugins designed to monetize piracy websites. “Domain cloaking threat models continue to be a pervasive and persistent threat in the advertising landscape and are exacerbated by easy-to-configure schemes like Scallywag,” researchers noted. Digital piracy remains a persistent challenge for the advertising ecosystem, with the Interactive Advertising Bureau estimating losses in the billions annually due to such fraudulent schemes. The operation employed sophisticated domain cloaking techniques, which are classified as False Representations in the Interactive Advertising Bureau’s Invalid Traffic (IVT) Taxonomy. The security firm implemented measures to flag Scallywag traffic in their Human Defense Platform, cutting off the operation’s revenue streams.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 22 Apr 2025 09:30:14 +0000