Celebrities Drive Malvertising (Again)

Celebrities Drive Malvertising (Again)
featured image

Hijacked celebrity brand images expose consumers to phishing schemes – Celebcore.  

Bitcoin? That’s so 2021. Threat actors are diversifying their dishonest celebrity endorsements to promote a whole host of dubious products to harm consumers.

Celebrity likenesses are being hijacked at scale for malvertising campaigns hawking CBD gummies, weight loss pills, dubious business investments, questionable beauty products, and more. The scheme defrauds consumers by phishing for their personal information, which is then used in future, targeted attacks—activity that draws the attention of regulators.

A Fizzcore-like malvertising threat

The use of click-bait style advertisements that lead to deceptive and fraudulent domains is not new. Just before the pandemic, the explosion of Fizzcore—malvertising campaigns using celebrity images to promote fraudulent Bitcoin investment scams—caused havoc across the digital ecosystem leading to several celebrities filing legal complaints.

Similar to Fizzcore, an evolving malvertising campaign relies on celebrity images to drive consumers to either a website with regurgitated content cribbed from other sources or a cloaked page promoting a scam. Dubbed Celebcore, this “Fizzcore-Like” threat involves:

  • Creative with celebrity images, and some even using a legitimate publisher brand logo
  • Geographic targeting
  • Cloaked landing pages, often copying a legitimate publication’s design
  • Landing pages typically promote health or beauty-related products; but not cryptocurrency investments associated with Fizzcore

The campaign uses dozens of celebrity images across a wide range of industries—Tiger Woods, Lee Drummond, Maggie Beer, Shark Tank cast, Justin Trudeau, Richard Wilkins, Graham Norton, Elon Musk, and more. The oft-unflattering images are paired with inflammatory, click-bait text and resolve to fake websites. [Figure 1] There are typically two landing page options, but sometimes more.

Celebcore landing page examples

Figure 1: Sample Celebcore creative and the various landing pages connected to it


Taking a page from Fizzcore, Celebcore uses cloaking techniques to mask its fraudulent landing pages from early detection. In most instances, the landing page urls have zero relationship to the creative: for example, earofcorn[.]de landing page for an ad with Australian TV presenter David Koch targeting local consumers.

When certain predetermined conditions are met, Celebcore delivers the overt fraudulent pages, which vary wildly from financial scams (minus the cryptocurrency associated with Fizzcore) to fake endorsements of diet pills or various beauty products. As a further evasion technique, many of the landing pages copy the design of recognized media publications. [Figure 2]

Celebcore fraudulent malvertising landing pages

Figure 2: Sample fraudulent malvertising landing pages that scrape their appearances from legitimate publishers. The urls for these pages are not associated with those publishers.

While the triggers are still being investigated, The Media Trust can confirm the celebrity is typically known to consumers in the targeted geography: e.g., Justin Trudeau creative is served to Canadian consumers or Graham Norton to Ireland and UK consumers. There is also typically a contextual element: e.g., Tiger Woods on sports content or Adele on entertainment and news websites.

Move over Fizzcore—Celebcore is here

Celebcore malvertising campaigns have grown at a dizzying rate over the past few months. Initially targeting consumers in large online markets like Australia, France, Germany, UK and U.S, this threat has now spread to affect consumers globally—especially those in Brazil, Canada, Japan, and India. [Figure 3] A few of these incidents appear to target aging adults and children.

Graph depitcing 2X rise in Celebcore incidents in two months.

Figure 3: 2X rise in Celebcore incidents in two months.

The campaigns can be difficult to detect. Typically hosted by Google, the creative features similar text but with different celebrity images. [Figure 4]. While blatantly erroneous creative should be your first hint, the ability to elicit and analyze the cloaked landing pages is critical to confirmation of Celebcore.

The landing page domains are changing rapidly. Purchase of existing domains started in early 2022, with a few malvertising activations throughout the year. New domain registrations started in early 2023, with 2-5 domains registered every week but not activated for several days or weeks. The key is early detection of the fraudulent creative, which requires continuous image, object, and text detection and analysis. AI is a crucial tool here.

Figure 4: Example of replicated content with changing celebrity image

Falling Cryptocurrency value drives Celebcore

The rapid rise in Celebcore incidents is at the expense of Fizzcore, the volume of which has decreased 60% during the past few years. It is fair to assume that the challenges of the cryptocurrency market have a direct effect on the effectiveness of malvertising campaigns featuring cryptocurrency.

Also, the increased regulatory scrutiny on financial investments makes it more likely that bad actors’ intentions would be more readily discovered. On the flip side, the increased consumer appetite for CBD gummies and other cure-alls serve as a nice alternative: capture consumer attention while avoiding detailed reviews by AdTech platforms and authorities.

UK Online Advertising Programme – We Got You

This emerging trend coincides with a changing regulatory landscape in the UK. The recently released government response to the UK Online Advertising Programme indicates an increased focus on two digital advertising plagues:

  1. Fake celebrity endorsements to promote fraudulent products
  2. Financial investments/promotions looking to defraud consumers

While much needs to happen before regulation is even presented to Parliament, it’s clear that safeguarding consumers from online harms is increasingly a barometer for the digital advertising industry.

No worries. The Media Trust is already alerting and blocking these campaigns for our customers. Our custom, AI-driven engine analyzes objects, text and images that are then visually verified by human eyes to ensure accurate results. Classified as phishing, these attacks are part of our standard, proprietary malware list and are blocked by Media Filter, which powers our DTS Programmatic solution for publishers.

With more than 300 distinct incidents and 25,000 blocks since April, it’s clear this malvertising trend will continue to escalate and fall within the UK government’s regulatory framework once it’s finalized.

Thwarting Celebcore

What started as a drip across a few small DSPs has quickly grown to affect larger AdTech players, especially native and omnichannel platforms. Even worse, these campaigns have proven to evade creative blockers that rely on domain or url blocking parameters.

As regulation evolves to support the digital age, there’s several things AdTech and publishers can do to enable digital trust and safety for consumers:

  • Landing page reviews: Pre-flight review of ad tags should include an actual clickthrough to landing pages to verify the authenticity of the content; not just a landing page url review.
  • Content analysis: Increase scrutiny of native units.
  • Google connection: Continuously flag the fraudulent creative with Google so they terminate the campaign at its heart.
  • Ad quality policy update: Evaluate your current policy regarding the treatment of clickbait ads to ensure it addresses celebrity bitcoin scams.
  • Digital security expertise: A proactive team of 24/7 dedicated security analysts need to constantly evaluate new creatives, domains, and tags for malicious activity.
  • Geographic profile scanning: Execute client-side scans from continuously changing geographic locations to ensure creative, tags, and landing pages are clean.