Insidious GhostCat malvertising primarily leveraging VAST tags to attack consumers
Online consumers looking for quality video content have received a slew of nasty surprises this year as the nefarious GhostCat phishing attack has begun delivering redirects through video players. This ongoing outbreak has impacted at least three dozen ad platforms, hundreds of premium publishers, and millions of consumers.
After a December 2023 surge, GhostCat has kicked off 2024 with a bang, delivering more than 13,000 malicious tags through dozens of ad platforms.
GhostCat (aka ScamClub) has expanded and evolved at a rapid pace, with unique attacks (which can each account for millions of impressions) growing ~3X between 2022 and 2023 alone. Also, in the previous year, GhostCat jumped from harassing mobile users to delivering attacks 2024 is off to riotous start, with 153 unique attacks discovered on more than 13,000 ad tags.
But the most alarming development: the vast majority of these most recent attacks are leveraging VAST tags and launching redirects from video players. Video players within native advertising units appear to be most vulnerable to GhostCat assault.
Bolstering Defenses
Attacks via VAST and video players represent a frightful new vector—video players act semi-independently on pages, calling ad units on their own. Therefore video-based GhostCat can often evade header- or wrapper-based malware-blocking scripts.
This puts extra pressure on upstream partners like SSPs and DSPs to screen all video ad assets for malware (as well as potentially objectionable ad content) before they enter the programmatic video pipes. But that’s not enough, as threat actors are notorious for switching out creatives/landing pages mid-campaign—continuous analysis is the only way to stay secure.
In addition, video players (particularly those based in native units) need to team up with digital security providers—video-based attacks can be stopped in real time as long as the security provider is analyzing data/content coming into the player as it is delivered.
Is CTV Next?
Considering GhostCat’s longevity and quick maturation, it seems only a matter of time before CTV inventory is under attack. As mentioned in The Media Trust’s recent CYA 2024 report, a great deal of malvertising is used to steal data for larger and more devastating attacks like ransomware. CTV could prove an exceptional data supply for household-level targeting.
While video inventory long appeared to be too expensive for threat actors’ budgets, their overall strategy appears to be shifting. The digital trust and safety strategies of media and adtech must evolve alongside it for the sake of consumers and a burgeoning business channel.
Common GhostCat phishing creatives.
The amount of unique GhostCat phishing attacks, which can each impact millions of consumers, has grown 3X+ since 2020, with a massive surge beginning in 2023.
For more on GhostCat and other major digital trust & safety issues for 2024, watch The Media Trust’s CYA 2024 webinar and download the full report.
