ScamClub’s Deceptive Landing Pages
Recently, I was involved in publishing Confiant’s ScamClub: Threat Report Q1-Q2 2023. During our investigation into this malvertising threat, we found ScamClub utilizing RTB integration with ad exchanges to push bid responses upstream to forcefully redirect the victim’s browser from the publisher site, to their landing pages containing scams. These scams are meant to entice victims into continuing to sites that ScamClub are affiliates of, but do not own. ScamClub leads its victims to other business entities page’s which contain surveys, CC-submit offers, and other offers in order gain profit from that entity as a marketing partner. Being an affiliate of these platforms has been very successful for ScamClub and we estimated approximately $8.5 million in total revenue in the first two quarters of 2023. Exploiting an ad recipient’s browser to forcefully redirect them to a page that scams them into entering credit card details into an unrelated offer, negatively represent its business partners. In this blog I will cover how ScamClub exploits the ad tech system to bring in confused victims, how it uses deception to scam its victims, and a few entities ScamClub was business partners with.
ScamClub’s Deceptive Nature
ScamClub is a threat actor whose techniques are captured in our Malvertising Attack Matrix. Our team tracks malvertising threats and profiles them based upon the techniques they use. More about how we profile these threats can be found in this blog post. I will be referring to the specific techniques in the matrix ScamClub uses in order to explain the story of its deception.
Before reaching ScamClub’s landing page, ScamClub exploits a technique known as [C204] Forceful redirects. This technique redirects the ad recipients browser from where it was, on the publisher website, to somewhere else, with no interaction required. In the case of a bid request won by ScamClub, code will run on the victims browser which will forcefully redirect it from the publishers website, to ScamClub’s malicious landing page. The victims may not know it was delivered via an exploited ad on the publisher website. Without this knowledge, they may misinterpret the legitimacy of the page to which they were forcefully redirected to and fall victim to its scams. I think is important to note about ScamClub because it uses this confusion to further its false claims and impersonation.
ScamClub is initially delivered by an ad and has a multi-staged payload. Of the three stages, the first decodes the second, the second fingerprints the victim, and the third redirects the victims browser to a ScamClub landing page. A URL is stored in the stage 3 payload.
var re_l_url = "https://trkmyclk.xyz/visit.php?k=14c685b6ffd1c77ca3f7971ad9aa01f1&c=185&bid_id=3343-91c36751b0e2d90-192&pub=englewoodherald.net&exchange=gothamads&ip=174.197.141.183&browser=&os=&ifa=&cc=US&time=bYvMTY4NTgxNjk5NjI4OA&browserv=113&site_id=englewoodherald.net_73fe4cb37e68&sec_id=69e3bf5a53902da611fdaf5be3683a25&xrtb_id=f24b89c64ec64d159a3e64f954239b2b&ifm_ori=2%7C%7Cabout:blank%7C%7Cenglewoodherald.net&banner_id=kKOE&a_href_id=bpbsF" + "&scid_bak=" + "1c41d66b534abcb1ae4074295f71c147" + "&scip_bak=" + "5ca1015596000a7a365a789343454851" + "&tmid_flg=" + "MKTaYk4aNxTig0x0N7jk5NwO0O0OO0O0O";
var pbHalfSeconds = 3;
var expiryCookie = true;
var coo_time = 1;The domain of the URL in this stage 3 sample is old and is no longer used. This domain name was reported to NameCheap by Confiant on October 5th, 2023 and the domain was no longer active by the end of the day. This domain has been retired but the domain trackmaster.cc has taken its place and points to the same ScamClub IP(34.74.68.195). Requesting the URL from a stage 3 payload after replacing its domain with a current one, and removing all parameters that are not required, results in a response which indicates a 302 redirection.
http://trackmaster.cc/visit.php?k=994bf7a2b571f6bb6bde249b80572b25&c=155
The location stored in the response is ScamClub’s landing page URL. Fingerprinted data about the victim is given in the URL to the landing page via parameter data.
c = 4fz378lydzOz1
k = 139959912043137dd95ebab878004690
country_code = US
carrier = -
country_name = United States
region = New York
city = New York
isp = Time Warner Cable Internet LLC
lang = en
os = Windows 10
osv = (empty)
browser = Chrome
browserv = 117
brand = Desktop
model = Desktop
marketing_name = Desktop
tablet = 4
rheight = 768
rwidth = 768
e = 5A cookie is set with values c and k and it is also stored in parameter data. These values are later used to redirect the victim towards the scam. If we load the location/URL from the response in safari, we land upon a ScamClub landing page. Bellow we can see the URL that leads to the entities landing page uses the c&k cookie values set in the response from the ScamClub intermediate server.
We will find there are two styles of ScamClub landing pages on two different domains in the examples below. Both are delivered after stage 3 is has ran on a victims browser from a malicious ad served by ScamClub, and a 302 redirection is sent from ScamClub’s intermediate server, leading to their own landing page. Both landing page styles exhibit the same format and reuse code. All the habits mentioned above occur on both.
neonaturaleco.top
This ScamClub landing page style exhibits the following Malvertising Attack Matrix techniques:
C801 & C811 indicate that the landing page tells the victim that they have won a gift card or another prize in order lure them. In reality, they have not won anything. Since the page is Google branded and the text speaks to the customer, we decided to rules it C811. It even claims copyright at the bottom of the page.
Code within the landing page is used to extract the carrier parameter from the URL used to access it.
<script>
function getURLParameter(name) {
return decodeURI(
(RegExp(name + '=' + '(.+?)(&|$)').exec(location.search)||[,null])[1] || '');
}
var carrier = getURLParameter('carrier');
carrier = decodeURIComponent(carrier).toLowerCase()We know from earlier that ScamClub adds fingerprinting data to the URL used to access the landing page during stage 3. This data is used to dictates which elements of the landing page to serve the victim. ScamClub landing pages use parameter data sent from their intermediate server to build a landing page catering the the victim.
English landing page carriers:
if(carrier.indexOf('cell')>-1){
document.write('Cell C')
} else if(carrier.indexOf('mtn')>-1){
document.write('MTN')
} else if(carrier.indexOf('telkom')>-1){
document.write('Telkom')
} else if(carrier.indexOf('vodacom')>-1){
document.write('Vodacom')
} else {
document.write('Google')
}Chinese landing page carriers:
if(carrier.indexOf('ntt')>-1){
document.write('NTT Docomo')
} else if(carrier=='softbank'){
document.write('SoftBank')
} else {
document.write('au')
}Italian landing page carriers:
if(carrier=='vodafone'){
document.write('Vodafone')
} else if(carrier=='tim'){
document.write('TIM')
} else if(carrier=='3 italia'){
document.write('Tre')
} else {
document.write('Wind')
}Depending on the carrier parameter sent from the intermediate, the landing page loads different images as well.
<script type="text/javascript">
if(carrier.indexOf('ntt')>-1){
document.write('<img id="logo" class="clickable" src="carrier/logo-ntt.png" style="width: 120px">')
} else if(carrier=='softbank'){
document.write('<img id="logo" class="clickable" src="carrier/logo-sb.png" style="width: 120px">')
} else {
document.write('<img id="logo" class="clickable" src="carrier/logo.png" style="width: 120px">')
}
</script>The above code snippets were retrieved from neonaturaleco.top. Knowing now that the carrier parameter in the GET requests is used to dictate what the page loads, we can set it to be in this example “Cell C”
We see elements of the page are loaded in correlation to that parameter data.
After clicking the OK button, a 9 question survey asks the following questions with buttons to enter answers. These questions changed based upon the location of the victim to have more fitting “operators” as they refer to them.
What kind of device are you using at the moment? PC / Notebook, Smartphone, Tablet, Other device.
Which operating system does your device use? Microsoft Windows, Apple MacOS, Android, Apple iOS, Other.
Which browser do you use? Google Chrome, Internet Explorer / Edge, Firefox, Opera, Other.
Do you use Internet on your mobile phone/smartphone? Yes, regularly, Occasionally, Seldom.
Do you plan to replace your phone soon? If so, when? Not anytime soon, In the next three months, Within a year.
Which other operators do you use? Cell C, MTN, Telkom, Vodacom.
Are you satisfied with the connection quality of {the operator you picked}? Highly satisfied, Reasonably satisfied, Highly dissatisfied.
How old are you? Under 18 years old, 18–25, 26–34, 35–54, 55–64.
What is your gender? Male or Female.
After completing the survey, the victim chooses a prize. Here are the prizes displayed on an English page.
After a gift is picked, the victim is directed to a new host owned by another entity to enter details to purchase the gift. The landing page the victim lands on after leaving ScamClub’s, most of the time resembles the prize the victim chooses.
Some of the scam landing pages are not branded around the item the victim chose.
Looking back at ScamClub’s landing page, we see a JavaScript source was loaded and find it is used to generate several URLs.
<script src="carrier/main.js"></script>
<script type="text/javascript">
var offer_s10 = PK.buildoffer_random(1,1);
var offer_iphonex = PK.buildoffer_random(2,2);
var offer_movie = PK.buildoffer_random(3,3);
var offer_shein = PK.buildoffer_random(5,5);
var offer_gas = PK.buildoffer_random(6,6);
var offer_mystery_box = PK.buildoffer_random(7,7);
var offer_dyson = PK.buildoffer_random(8,8);
var offer_aerostep = PK.buildoffer_random(9,9);
var offer_airfryer = PK.buildoffer_random(10,10);
</script>
We can see that a URL is inside these offer_… variables. The URL’s only differ in the offer parameter value. On this page it is an int between 1–10 because 9 total offers are represented on the page. When the victim chooses one, the page is loaded using window.open()
function __cta(a){
if(a == 1){
window.open(offer_s10,'_blank');
} else if(a==2) {
window.open(offer_iphonex,'_blank');
} else if(a==3) {
window.open(offer_movie,'_blank');
}else if(a==5) {
window.open(offer_shein,'_blank');
}else if(a==6) {
window.open(offer_gas,'_blank');
}else if(a==7) {
window.open(offer_mystery_box,'_blank');
}else if(a==8) {
window.open(offer_dyson,'_blank');
}else if(a==9) {
window.open(offer_aerostep,'_blank');
}else if(a==10) {
window.open(offer_airfryer,'_blank');
}
eu.cybershieldscan.monster
Recently, we have seen ScamClub’s landing pages change and not offer more than one offer. Their landing pages shifted towards scareware and convince victims into paying for McAfee antivirus software. They persuade the victim into believing they have malware falsely.
None of the claims on the landing page are true and their only purpose is to scare the victim into believing they need the software.
<script src="source1/main.js"></script>
<script type="text/javascript">
var offer_mcafee = PK.buildoffer_random(1,1);
function goto(){
window.open(offer_mcafee,'_blank');
}The code above differs from the previous ScamClub landing pages and has one offer URL instead of multiple. The domain 1156138705.rsc.cdn77.org in the offer URLs on the carrier branded pages is also used on the scareware pages.
ScamClub’s McAfee branded landing pages lead victims to McAfee’s real website with affiliate code attached in order to collect payment. The 1156138705.rsc.cdn77.org URL redirects the victim multiple times after they click the offer. In these redirects, we can see it redirecting to McAfee with a affiliate id 1494.
ScamClub Landing Page Anti-Navigation Features
ScamClub landing pages contain code to prevent the victim from using their browsers intended functions to leave and reloads a new scam when they do.
<script type="text/javascript">
var ourl = PK.rebuildurl('mcafee-2.php');
var iurl = PK.rebuildurl('mcafee-2.php');
</script>
<script type="text/javascript">
window.history.pushState(ourl, "Exclusive", ourl);
window.history.pushState(iurl, "Bonus", iurl);
</script>
<script type="text/javascript">
window.addEventListener("popstate",
function(e) {
if (document.URL.indexOf(ourl) >= 0) {
window.location.href = document.location;
}
});
</script>
This code manipulates the document history and listens for an event named “popstate”. When this event occurs the document location changes and this results in the victims browser loading a new landing page and scam from the same ScamClub host. On safari, this event occurs upon refreshing. This may be confusing to Safari users because most pages reload the same page and content upon refreshing. On Firefox, this event occurs upon reloading or trying to navigate forwards or backwards a page. Firefox victims will not being able to leave without closing the tab or browser and a new scam loads upon each attempt they try to navigate or refresh.
ScamClub’s Business Partners
ScamClub landing pages are meant to entice the victim in continuing to another landing page. This second landing page is owned by another entity that ScamClub is marketing partners with. ScamClub landing pages do not generate profit on their own and rely upon sending traffic to their partners for profit. Once the victim enters payment details to complete the offer, ScamClub is paid as an affiliate of the transaction. We can track the entities ScamClub is a marketing partners with by reading the Terms and Conditions on the entities payment page if available.
RPPRO LLC. is the entity mentioned on most of the entity landing pages at the time of testing(October 12, 2023).
Crative Peace Makings LLC was mentioned in the Terms and Conditions of the page the Dyson entity landing page(October 12, 2023).
One entity landing pages makes the victim agree to a Terms and Conditions and a Privacy Policy that is not accessible from the payment page. I did not find an entity name for this example due to it not being available.
On the Shein branded scam landing page,
after the victim fills the form and submits, the victim is brought to a new host which the entities represented on the payment page load dynamically. We can see this easiest by submitting the form multiple times. After we do, we are brought to many different payment pages that do not point to a single entity.
getiqbrain.com is the domain of the payment page in two of the three screen shots but the entity name as well as address on the two pages are different.
Deceptive Practices
While going through ScamClub’s business partners Terms and Condition policy, I found that they are not a one time purchases and rather a subscription with hidden details. Reading the policy you will find the purchase is for a trial period of a subscription based service. By accepting the trial, you are subscribing to the service unless you cancel within the trial period. These entities charge the victim a low amount like 2–5$ for a three day trial. A charge of ~50$ is made after the trial ends and will this charge will reoccur again every two weeks or a month.
You would not be able to tell what you are buying from these entities pages based upon what you see without clicking and reading the policy. The pages are intentionally misleading to its victims. The detail about the purchase being for a trial that furthers them into a costly subscription is hidden in fine text or in its policy agreement. This results in victims believing they paid for a one time purchase, when in reality they have agreed to pay for a subscription. The payment model of the subscription exploits the victims being unaware of the purchase by having reoccurring payments that increase.
Conclusions
ScamClub serves malicious ads which forcefully redirect the victim’s browser to a page that deceives them into believing they won a prize they must pay a small fee for or they have malware that requires a paid service to fix. The claims are false and ScamClub’s landing pages impersonate brands including Google, T-Mobile, Xfinity, Wind, and more to lead the victim into to believe its claims. After they click through ScamClub’s landing page, they are brought to the entities landing page to enter more details including payment information. The victims in the end purchase something from the entity completely unrelated to the promises on ScamClub’s landing page. The entities ScamClub is in business with misrepresent the payment page as a one time payment, when the purchase initiates a subscription with routine payments which increase in price. This purchase results in profits for ScamClub because they get payed for the victims they direct towards their business partners offers.
Appendix A — ScamClub Landing Page URLs
http://neonaturaleco.top/bonus/com-africa-8811/za-lp2.php?c=4rz79n4hz69z1&k=a9faa70c7bb0ada3576fcb0378cb10ce
http://eu.cybershieldscan.monster/fr/dt/mcafee-2.php?c=4gz16j7gbz0z5&k=63baa3498e555cfa43522f69b1100c06&1696607985
http://goodthingsperday.space/bonus/com-it-7891/lp2.php?c=4gz16jck0z0z0&k=0b071542eb148035915323d54fd299b8
Appendix B —Entity Landing Page URLs
https://bestooffersfinder.net/l/EOsWwcmxJsvAJnneHVqo?offer_id=10253&p_id=&s1=10246fe8a5ecc6a2365ac0539ad560&s2=1043&s3=16507&s4=#rafl&%23nt
https://letsgame.site/l/OOMVVLNP1K0xDIw77Oas/payment?token=eyJpdiI6IkxzenFDeUVMTjkyZnBaWVVqREFLY2c9PSIsInZhbHVlIjoibUMvL3ZMaFlJUkF5WmhxK0hMa08rOTJPeWwwdU1ZcnZSQjVTMHp6Q3E2WT0iLCJtYWMiOiI2M2EzMjEyMWJiYWY2YzViNzg4MzAyNzA5N2NmMjIxODg4Y2FkYWNlMWE2MDI1MGIzNWE1ZGJmYjI2OGVmYjY2IiwidGFnIjoiIn0%3D&_luuid=39ef237f-8cf5-45f2-bf5d-d1e6873b1c24&_sid=eyJpdiI6Im1EdjRkS2N6QzFadzlIaWdRUzdJUEE9PSIsInZhbHVlIjoid25Sa1N2TC9GdENrRjgxVUE1dEJGLzViSlBGMXdIWnhsbVZoRmdiU2FiZDd3TXp1ei80NmdSS0txTzMxVTBrNVgweDNwMHMvbU5YVlhodHAxdk9LZ0E9PSIsIm1hYyI6IjI1MGExZmMxOGM4YmE5MTZmM2I3MTlkMGQ0NWU3ZjVlNjBhMmNkNmQ4Y2VhODI2NWFiNDc3YmEyMjBiOWU4NjkiLCJ0YWciOiIifQ%3D%3D
https://gogaming.vip/r/vn9xLJXwsS2hhcObc/d5b3c76a-a77a-4ca0-93f8-c3343fe36299/payment?token=eyJpdiI6IlRIYitqai81ZERrSDhXUGZhbUlnTEE9PSIsInZhbHVlIjoiZ29QSW4vREdOcVRXUXdvK2prdks3WmZReXlRTGFnN3lVTmRMcDFuZVQ0bz0iLCJtYWMiOiIyOGQ5ZGM4YjhjN2YxMzQ3Mjk5YTE5N2Q2YjViZWUyZWNmYmNiYjA2NWFlYTQwNmI3MGM5YTBmYTFlOGZiNDhhIiwidGFnIjoiIn0%3D&_luuid=c3b1034c-f701-48c8-8a4b-b2dc6abc1af5&_sid=eyJpdiI6IjZDMS92VDFCeEd2Z096NGtwVitsUXc9PSIsInZhbHVlIjoiOElGWC9tWWJLOE9KYlZ4dVRKK0E1TmFpcTRxS2ROaVN6YVRMZVhDRGFVbmFaZmg1dVRmLzl3ZWhSSmEvMitSQm1BRjM5dm0rNTE0NG1CSG90dFVKUkE9PSIsIm1hYyI6IjQyOWM4YWUxNzU1ZjhiZDFhMGQyYWIwNDdhNTg4NDY2YTYxZmRkMTQxMzhiMTJlZThmMmZlNjI2MzU3NDdjMGQiLCJ0YWciOiIifQ%3D%3D#payment-section
Appendix C— Entities
RPPRO LLC. Found via osint(1309 Coffeen Avenue STE 1200 Sheridan, Wyoming 82801, US)
Crative Peace Makings LLC. Found via osint(2847 S INGRAM MILL RD, STE A100, SPRINGFIELD, MO, 65804)
Martway limited, kosta xenofontos 5, lakatamia, 2335, nicosia, cyprus.
Etronik llc, 4758 ridge road # 110 brooklyn oh 44144.
Ckop llc, 2710 del prado blvd. s#2–274 cape coral, fl. us 33904.
