Malvertising Attack Matrix

A project by


[Profile] ScamClub

Overview: ScamClub is a threat actor known for conducting large-scale scams and defrauding individuals. This group exploits vulnerabilities in the programmatic ad system to carry out forced redirect campaigns.

ScamClub utilizes RTB integration with ad exchanges to push bid responses upstream containing malicious javascript. This code will attempt to redirect victims' web browsers to a malicious landing page without any action or intent on the part of the victims. Forced redirect attacks are harmful because ad recipients can encounter fraudulent landing pages designed to deceive and exploit them. Attacks from ScamClub lead victims to financial scams, gift card scams, phishing pages designed to steal user information, and more. These attacks not only harm ad recipients, they harm websites by damaging their reputation, while also undermining the trust and credibility of DSPs and SSPs, potentially leading to financial losses and strained relationships with advertisers and publishers.

ScamClub uses many techniques to ensure an effective campaign. In June 2020, Confiant observed ScamClub use a zero-day exploit that bypassed a security feature in the ad iframe. This security feature is used to prevent any redirection unless there is a proper click inside of the ad. The exploit bypassed this feature and took the ad recipient away from the page without clicking on the ad.

ScamClub has also been using what we deem high risk ad exchanges. The result of ScamClub using high risk ad exchanges to post their creatives has had a huge negative impact on publishers.

In 2018, when referring to ScamClub campaigns, we found 57% of our publisher clients working with this ad exchange were impacted. The ad exchange ScamClub used at that time was one we deemed high risk. Confiant monitored the delivery of this malvertising campaign, recorded and blocked over 5 million hits in 48 hours. The total amount of impressions served to publishers left without Confiant's protection was estimated at over 300 million impressions during this 48-hour period. By comparison, the Zirconium group was responsible for only one billion impressions throughout the whole year in 2017.

ScamClub Diamond Model Attributes

Using the diamond model of attribution, Confiant threat intelligence determined that on-going malvertising activity impacting multiple ad exchanges, DSPs, SSPs and publishers are attributed to the ScamClub threat actor with high confidence.

ScamClub Diamond Model - Confiant
ScamClub Diamond Model - Confiant

Diamond Model Analysis

Country of Origin China
Related Entity WayTop International Advertising Limited
Years of Activity 2018-today
Motivation Financial gains
Victimology This threat actor predominantly targets victims in the United States, with additional victims in Canada, United Kingdom, Germany, Italy, France, and Spain
Affected Industries Advertising
Affected Segments Ad Exchanges, Demand Side Platforms, Supply Side Platforms, Publishers
Unique Tools → Multi-staged custom JavaScript obfuscation tool
→ Browser exploit: CVE-2021-1801 (Safari iOS/MacOS Webkit)
Generic Tools XRTB, RTB4Free
Known Infrastructure Domain Names:
2020workaffnew[.]top, trkmyclk[.]xyz

IPv4 Addresses:


Note: The Diamond Model analysis provides crucial insights into cyber threats, focusing on the who, what, when, where, why, and how aspects of the threat actor and their activities.

Tactics, Techniques, and Procedures (TTPs)

Since the emergence of ScamClub in 2018, Confiant has diligently monitored and recorded the tactics, techniques, and procedures (TTPs) employed by this threat actor based on the comprehensive Confiant Malvertising Matrix model. The creation of this model involved continuous tracking and analysis of 25 distinct threat actors who specifically target the advertising industry. It serves as a vital tool in profiling threat actors and plays a central role in our established cyber threat intelligence program.

Note: We strongly encourage our peers in the ad-tech industry to adopt this model, as it greatly enhances our capabilities in detection and attribution.
Further information on utilizing this model can be found here.

Confiant Matrix ID Description

Fake Advertising Agency

Fake Advertising Agency is an advertising agency that is owned by malicious operator for the purpose of establishing relationships with ad buying platforms (DSPs).

More information

Fake Ad Creative

Fake ad creative are display advertisements that are typically shown in standalone slots on websites and mobile apps, it is a great entry point for malvertisers.

More information

Forceful Redirects

Forceful redirects are the technique by which malvertisers redirect victims to a malicious landing page through no action of their own.

More information

Cloud Storage - Bucket

Buckets are cloud containers that store user data. Often used to store and protect any amount of data for websites, mobiles apps for backup and restore.

More information

Iframe Sandboxing Bypass

Iframe Sandbox bypass are exploits that circumvent iframe sandbox attribute parameters, typically the "allow-top-navigation-by-user-activation" parameter.

More information


WebGL APIs are heavily leveraged for device fingerprinting, because a device's graphics cards and their performance are highly variable and produce outputs that are in an entropy sweet spot.

More information

User-Agent Fingerprinting

User-Agent Fingerprinting is a client-side check by which adversaries determine Browser types and versions they might potentially be attacking.

More information

GeoIP Check

GeoIP is commonly used as a server-side check consisting of determining the geographical location of a potential target based on the IP address.

More information

IP Targeting

IP targeting is a more fine-grained check than GeoIP check, consisting of determining if targets are using their home, datacenter, Enterprise, or 4G mobile connection.

More information

OS Fingerprinting

OS Fingerprinting is a check used to accurately determine the Operating system and its version of a target user.

More information

Fake Ad Creatives

Fake AD creatives are copy/pasted legitimate AD creatives that are used by malvertisers as a pretext for them to appear legitimate in the eyes of ad platforms.

More information

Browser Objects

Browser Objects are any objects that are native to a browser's implementation of JavaScript and/or the many APIs available to browsers.

More information

Plugin Detection

The Browser Identification through Plugin Detection technique is employed by attackers to determine the type of browser a user is running based on the identified plugins. By leveraging the plugin's API, malicious websites can extract version information of installed plugins on the victim's system.

More information

Code Obfuscation

Code Obfuscation applies to a broad category of techniques and tactics that are employed by attackers in order to make their code hard to read by human analysts.

More information


Anti-Devtools techniques are employed by attackers in order to disrupt the debugging process of the malicious code when browser dev tools are detected.

More information

String Concatenation

String Concatenation is an obfuscation technique where strings are split into small chunks and added together so that the original strings will be difficult to search for during static analysis.

More information

DOM Traversal

The Document Object Model (DOM) is a standard convention for accessing and manipulating elements within HTML and XML documents.

More information

Security Vendor Detection

Malvertising security vendors typically have a client-side component for blocking malvertisements.

More information

Automated Framework Detection

The Automated Framework Detection Avoidance technique is employed by attackers to identify and differentiate victims using automated testing frameworks, such as Selenium, while attempting to avoid detection and analysis. Attackers achieve this by utilizing JavaScript-based fingerprinting code within malicious websites or applications.

More information


The anti-replay technique aims to ensure that the malvertising payload is executed only once on a targeted device.

More information

Gift Card Scam

Gift Card Scams are landing pages that tell the victim they have won an e-commerce gift card, usually to a major retailer. In order to claim the gift card the victim has to fill out a form with their email address or other contact information.

More information

Carrier Branded Scams

Carrier Branded Scams are landing pages where the victim is presented with a fake message from their local ISP.

More information

Giveaway Scam

Gift Card Scams are landing pages that tell the victim they have won an e-commerce gift card, usually to a major retailer.

More information


This technique involves leveraging scare tactics to manipulate victims; a landing page is designed to instill fear in the users by falsely indicating that their system is infected with malware.

More information

Financial Loss

Financial Loss encompasses any attack whose impact results in lost money from the victim targeted by malvertisers.

More information

Read the full report here:

ScamClub: Threat report Q1-Q2 2023