Morphixx malvertising scam resurfaces with new tactics, targets UK and Germany

Security researchers at GeoEdge this week unveiled the resurgence of the Morphixx malvertising credit card scam, which has adopted new, deceptive tactics to target mobile users in the United Kingdom and Germany. This latest iteration of the attack, detected in early September, exploits popular JavaScript libraries to embed malicious code, making detection more challenging and potentially exposing unsuspecting users to financial fraud.

The Morphixx campaign, previously known to security experts, has evolved its methods to leverage the trusted reputation of Google Ad services and legitimate JavaScript libraries. According to GeoEdge's report, the threat actors have specifically targeted widely-used libraries such as TweenMax, jQuery, Edge, CSSPlugin, TweenLite, and GSAP. These libraries, typically employed for animations, interactivity, and enhanced web experiences, have been manipulated to conceal the scam's activities.

What sets this attack apart from traditional deceptive campaigns is its approach to cloaking. While previous malvertising efforts often employed client-side cloaking in the post-click stage to control the display of deceptive landing pages, Morphixx has shifted its strategy. The campaign now places the fingerprinting script in the banner pre-loading stage, allowing it to control both the banner display and the landing page. This technique significantly increases the difficulty of detection for security systems and researchers.

The attack flow, as detailed by GeoEdge, follows a sophisticated multi-step process:

1. Ad Request: The process begins when a publisher's page initiates a network request to retrieve ad resources from the Google Ad Server. This request includes legitimate libraries such as jQuery.js.
2. Ad Response: The server returns the ad content, but within the jQuery.js file, hidden obfuscated malicious code has been embedded.
3. Rendering and Fingerprint: As the browser renders the fake ad, it simultaneously executes the embedded malicious script. This script includes client-side fingerprinting capabilities designed to filter out bots and target specific audiences. It's important to note that only users who meet the targeting criteria are affected by the subsequent stages.
4. Misleading Malicious Request: For users who pass the targeting filters, the browser makes a network request to what appears to be a legitimate JavaScript library. However, this request is actually directed to a malicious domain.
5. Ad Cloaking: The response from this malicious domain contains obfuscated code that replaces the initially displayed fake ad with a financial scam ad. When a user clicks on this malicious ad, they are redirected to a cloaker domain. This domain employs server-side fingerprinting to deliver content specifically tailored to accurately target user profiles, further disguising its true malicious intent.

To illustrate the deceptive nature of this attack, GeoEdge provided examples of the network requests and responses involved. For instance, a seemingly legitimate request for the popular 'jQuery.js' library from the Google Ad Server returns a manipulated response containing hidden threats.

The researchers also shared visual examples of the fake and malicious ads used in the campaign. In one instance, users are presented with what appears to be a legitimate advertisement. However, clicking on this ad leads to a completely different destination than expected. The malicious version of the ad, when clicked, directs users to a fraudulent website designed to mimic trusted financial institutions or services.

One particularly concerning aspect of this campaign is its ability to create highly convincing fake websites. For example, the researchers discovered a counterfeit BBC website that closely resembled the genuine article, potentially fooling even discerning users.

The sophistication of the Morphixx campaign is evident in the range of techniques employed to evade detection and maximize impact. These methods include:

1. Obfuscation: The malicious code is hidden and scrambled to make it difficult for security tools to identify.
2. Anti-Debug Functions: These are implemented to hinder attempts by security researchers to analyze the code.
3. Client-Side Fingerprint: This technique helps the malware identify and target specific types of users or devices.
4. Server-Side Fingerprint: Additional filtering is performed on the server to further refine the targeting of victims.
5. Cloaked Content: The true nature of the malicious content is hidden from security scanners and non-targeted users.
6. Dynamic Content Loading: Malicious elements are loaded in real-time, making them harder to detect through static analysis.
7. Code Injection: The attack inserts malicious code into legitimate scripts, exploiting the trust placed in well-known libraries.
8. Malicious Redirects: Users are sent through a series of redirects to obscure the final destination and evade tracking.

The resurgence of the Morphixx campaign highlights the ongoing cat-and-mouse game between cybercriminals and security professionals. By adapting their techniques and exploiting trusted systems, these threat actors continue to pose significant risks to online users and the digital advertising ecosystem.

The targeting of mobile users in the UK and Germany suggests a strategic focus on regions with high smartphone penetration and valuable financial markets. This geographic specificity allows the attackers to tailor their scams to local contexts, potentially increasing their success rates.

For the digital advertising industry, this attack serves as a stark reminder of the need for constant vigilance and evolving security measures. The exploitation of legitimate ad networks and popular JavaScript libraries underscores the challenges faced by platforms, publishers, and security providers in maintaining a safe online environment.

As malvertising techniques continue to advance, collaboration between ad tech companies, security researchers, and platform providers becomes increasingly crucial. The ability to quickly detect and respond to new attack vectors can help mitigate the impact of such campaigns and protect users from financial fraud and other malicious activities.

Key facts about the Morphixx malvertising campaign

Detected in early September 2024 by GeoEdge security researchers

Targets mobile users in the UK and Germany

Exploits popular JavaScript libraries including TweenMax, jQuery, Edge, CSSPlugin, TweenLite, and GSAP

Embeds malicious code within legitimate-looking ad content

Uses sophisticated cloaking techniques to evade detection

Employs both client-side and server-side fingerprinting to target specific users

Creates convincing fake websites mimicking trusted sources like the BBC

Utilizes a range of evasion techniques including obfuscation, anti-debugging, and dynamic content loading

Represents an evolution of previously known malvertising tactics