March 8, 2023 By Threat Intelligence Team
This investigation was a joint effort between Malwarebytes Threat Intelligence's Jérôme Segura, DeepSee's Rocky Moss and Antonio Torres.
Key findings
-
Over a dozen unique domains were found selling ad inventory through Google Ad Manager, even though the pages were embedded invisibly under the content of illegal movie & porn streaming sites
-
Streaming sites in the DeepStreamer fraud ring generated an estimated 210,550,928 visits in January 2023, as measured by Similar Web
-
There was not a single seller in common between each of the sites used for laundering (the “money sites”), but most offered their inventory for sale through Google Ad Manager
-
Using extremely conservative estimates, which factor in a 50% ad-block rate & 70% ad-unit fill rate, we project advertiser spend on this scheme between $120k - $1.2 million in January 2023 alone
-
Working with a leading ad buying platform, we were able to confirm there were hundreds of millions of bid requests generated for these domains between January and February 2023