Researchers have recently uncovered a massive ad fraud operation called Scallywag, which is generating 1.4 billion fake ad requests every day using specially made WordPress plugins. This scheme was uncovered by HUMAN, a cybersecurity firm that specializes in bot and fraud detection. They also published a detailed blog post explaining how this attack works.
Scallywag is a fraud-as-a-service operation that targets pirated content and URL shortening websites. These types of sites are usually ignored by legitimate ad networks due to legal issues and brand safety concerns. Scallywag fills that gap by helping site owners make money using ad fraud plugins.
Scallywag is a fraud-as-a-service operation that targets pirated content and URL shortening websites. These types of sites are usually ignored by legitimate ad networks due to legal issues and brand safety concerns. Scallywag fills that gap by helping site owners make money using ad fraud plugins. However, people behind it continue to switch domains and try new ways to make money.
The operation revolves around four WordPress plugins: Soralink, Yu Idea, WPSafeLink, and Droplink. These plugins are used by multiple threat actors to set up their own ad fraud sites. In fact, there are YouTube tutorials showing how to use them to earn money by scamming ad platforms. These tutorials are mostly created by threat actors, not the plugin developers.
Except for Droplink, other WordPress plugins are paid. You only need to complete some money-making steps for the sellers. These plugins allow even non-technical users to get into ad fraud.
The fraud begins when users visit piracy catalog sites looking for free movies or software. These sites do not host ads themselves but link to sites that do. They work with Scallywag actors to earn money by redirecting users. When a user clicks on a link, they are sent through a chain of ad-heavy pages. These pages are set up using the Scallywag plugins. The user sees CAPTCHAs, countdown timers, and ads before finally landing on the content page.
These intermediary pages generate ad impressions, which are counted as genuine views, even though they are not. The plugins also use cloaking techniques to make the site look like a normal blog to ad networks.
At its peak, Scallywag was responsible for 1.4 billion fraudulent ad bid requests daily across 407 cashout domains. This statistic showcases the massive scale and impact of the operation.
HUMAN noticed the fraud through unusual traffic patterns. They saw high ad volumes coming from simple WordPress blogs, along with signs like cloaking, timers, and forced CAPTCHAs. After confirming the fraud, HUMAN worked with ad networks to block the traffic and stop bidding on the fake ad requests. This caused Scallywag’s revenue to collapse. The scammers tried to escape detection by using new domains and redirect methods, but HUMAN blocked those as well.
Scallywag’s daily traffic has dropped from 1.4 billion to almost zero. Many of the scammers have now moved on to other schemes. While the current setup is no longer working, the threat actors behind it are likely to try again using new tools or methods
