The traffic hijacking has taken place via a tactic known as malvertising, which consists of placing malicious code inside online ads.
In this particular case, the code used by the ScamClub group hijacked a user's browsing session from a legitimate site, where the ad was showing, and redirected victims through a long chain of temporary websites, a redirection chain that eventually ended up on a website pushing an adult-themed site or a gift card scam.
These types of malvertising campaigns have been going on for years, but this particular campaign stood out due to its massive scale, experts from cyber-security firm Confiant told ZDNet today.
"On November 12 we've seen a huge spike in our telemetry," Jerome Dangu, Confiant co-founder and CTO, told ZDNet in an email.
Dangu says his company worked to investigate the huge malvertising spike and discovered ScamClub activity going back to August this year.
"The difference is the volume," Dangu told us. "One of the reasons for the November 12 spike is that they were able to access a very large ad exchange. Previously they only had access to lower reputation ad networks which limited their visibility on premium websites."
Dangu said that during the 48 hours during which the malvertising spike was active, 57 percent of Confiant's customers were affected, showing the malvertising campaign's huge reach.
He said that the malicious ads were created to look like ads for official Android apps (play.google.com), but in reality, they were engineered to hijack iOS US-based users and redirect them to ScamClub's adult and gift card scams, where crooks tried to collect users' personal and financial data via deceitful offers.
Dangu said that his company managed to block around five million of the estimated 300 million malicious redirects and that 99.5 percent of the affected users were US-based, and 96 percent were iOS users.
The Confiant CTO says the malvertising campaign abated on Tuesday, November 13, as the high-profile ad exchange removed the malicious ads. But ScamClub has continued to operate.
"We've continued to see activity, to the scale of 300k hits per day, so the attacker is still active but back to its usual lower visibility ad networks," Dangu told ZDNet. "We expect they'll continue to be active for the foreseeable future."
ScamClub attack was huge, when compared to others
To put the attack in perspective, Dangu compared it to the campaigns carried out by Zirconium, another criminal group engaging in malvertising campaign, a group so advanced that they created 28 fake ad agencies to disguise their malicious campaigns.
Dangu says that Zirconium, as advanced as it is, was only responsible for around one billion malicious ad impressions throughout the whole 2017 year, but ScamClub exploded across 300 million malicious ads in just two days.
Why the ScamClub name and how do they operate?
"We call them ScamClub due to the landing page domains they use (hipstarclub[.]com and luckstarclub[.]com)," Dangu told us in an email.
"The landing page domains (hosting scams or adult content) have been very persistent," he added. "This group is really good at evading and they use multiple fast-changing redirection chains, but eventually always lead to one of those 'starclub' domains."
"It's significant that such a high scale operation is able to persist with just 2 domains over such a long period of time," Dangu added.
In an accompanying report published earlier today, Dangu also expanded on this topic, showing his dissatisfaction with security vendors, which have been failing for weeks at reporting this group's main two domains as malicious.
He said it took weeks before the two domains were added to the Google Safe Browsing blacklist, and that even now, security vendors listed on VirusTotal still fail to flag ScamClub's two main domains as malicious, despite a giant three-month-long malvertising campaign going on under their noses.
Dangu suggested that one of the reasons why some security vendors and automated security scanners have failed to detect the two malicious domains was because ScamClub used code inside the malicious ads that detected when a website was being loaded to be analyzed inside a virtual environment, and when it was loaded inside a real device.
This "special" code allowed the malicious ads not to trigger the malicious redirects when analyzed, and therefore, prevent many security vendors from detecting and flagging the "starclub" domains (at the end of these redirection chains) as malicious.
In the case of ScamClub, there's a reason why the group targeted mobile users. While ad blockers are commonly installed with desktop-based browsers, they are not that common with mobile browsers, hence the reason why this particular campaign targeted iOS users. Ad blockers for both Android and iOS have been available for download for years, from different companies, but most mobile users aren't yet accustomed to installing one on their smartphones as they do on their desktops.