And the full chain execution:

🡆 Ad is initiated by RTBTradeIn, a no-name programmatic ad server:

http://us-nj-e37.rtbtradein[.]com/?t=impr&bwpr=0.3750&uniq=14d856f948531518a642a4d9fad564a1

🡆 Revive Ad server (ad serving first layer)

http://servedby.aqua-adserver[.]com/afr.php?zoneid=5326&target=_blank&cb=

🡆 Uprival Ad server (second layer):

https://api.uprivaladserver[.]com/v2/a/iframe/?tid=5b943031ba2e541654823f3f&pid=5d7ece51ba2e540f7caa927e&rnd=[CACHE-BUSTING-ID-HERE]&width=300&height=250

🡆 Fake ad creative (Doc Sock for evasion)

https://cdn.uprivaladserver[.]net/images/cd0dc7bb-8ed1-45b1-9f6a-f0e662b30fee.jpg

🡆 Actual ad creative (Paul McCartney — link is still up as of this writing)

https://cdn.uprivaladserver[.]net/images/885c952d-7424-4697-a453-09891389266f.jpg

🡆 We didn’t capture the Paul McCartney “Pre-sale” page here 🤷

Abusing commercial adserver targeting

Starting November 2019, FizzCore upgraded their infrastructure (see above “second generation”) and started relying on commercial ad servers to look more legitimate. We spotted 3 different ad serving accounts (we’ve notified the vendors) for which FizzCore paid hefty monthly fees, in lieu of their previous Revive ad server (free and open source, low reputation). Below is an example of this “second generation” execution flow.

Fake RyanAir ad (Germany)

🡆 Ad “creative” loads from commercial ad server

https://servedby.flashtalking[.]com/imp/1/119139;4326760;201[…]

🡆 Using the ad server’s targeting capabilities, an additional “cloaked” script loads from:

https://cdn.flashtalking[.]com/xre/432/4326760/2929174/js/j-4326760-2929174.js

🡆 Non-targeted users (e.g. ad scanners, manual QA, etc..) get a different “fake” script at:

https://cdn.flashtalking[.]com/xre/432/4326760/2929107/js/j-4326760-2929107.js

🡆 The cloaked script contains an “extension” that the fake one doesn’t, loading an Iframe at:

https://cdn.flashtalking[.]com/117149/2929174/index.html

For good measure, the cloaked ad server iframe spawns two components:

🡆 One for the image of the creative — an iframe at FizzCore domain postel-kz[.]com (UpRival ad server)

The FizzCore domain will provide one last chance for the image to flip between Cloaked or Fake:

Fake at https://cdn.postel-kz[.]com/images/fa474b69-b04a-40c7-a202-c954b7e241c1.jpg

Cloaked at https://cdn.postel-kz[.]com/images/795a1ad2-9990-45f9-845d-b8b4663b89e0.jpg

🡆 One for the cloaked landing page — the typical FizzCore link cloaker, this time at busetex[.]com.

For the “Fake” ad, it redirects to an unrelated legitimate website, here it’s a RyanAir ad that they borrowed in the wild:

https://www.ryanair.com/flights/de/de/fluege-nach-dublin .

For the “Cloaked” ad, it redirects to the “Pre-sale” page:

We’ve notified the commercial ad servers impacted and they quickly took down the threat actor’s accounts.

Scale

In the ad tech ecosystem

So far, Confiant has detected FizzCore as a buyer on 8 different ad platforms, 4 of which are Tier-1 demand side platforms. FizzCore also obtained access to 3 buy-side ad servers that they progressively leveraged in place of Revive (an open source ad server) to build up legitimacy.

By geography

We have tracked FizzCore across Europe as well as in Oceania:

Heavily impacted:

United Kingdom, Germany, Italy

United Kingdom, Germany, Italy Presence detected:

Sweden, France, Spain, Netherlands, Australia, New Zealand

By the numbers

As of this writing, FizzCore is heavily focused on Germany. They’ve had a presence in the country on and off through the last 2 months, with progressively increased scale.

FizzCore — Last 60 days in Germany

On January 14, 2020, FizzCore served about 14 million shocking celebrity ads on German news sites (based on extrapolated Confiant data).

Standard clickthrough rates in banner ads are abysmal, in the range of 0.01% to 0.1%. By leveraging shocking imagery, FizzCore is able to boost those numbers to up to 3% or more (source: ad industry partners on actual FizzCore campaigns). Let’s look at their performance and ROI using some rough assumptions:

Views ➡ 14,370,000 (extrapolated from Confiant’s website coverage)

Clicks ➡ 215,550 (1.5% clickthrough conservative average based on actual ad server data)

Victims ➡ 2,156 (1% conversion estimate)

Damage ➡ $6,466,500 ($3,000 average)

FizzCore net earnings ➡ $1,293,300 ($600 payout)

So, on a big day this is north of $1m net profit in only one country — keeping in mind this is a back-of-the-envelope approximation to get a sense of the magnitude.

Attribution

Who is running FizzCore? How much of the supply chain do they operate?

The Ad Tech Buyer

We have a clear map of the threat actor’s presence on programmatic advertising especially on news websites in Europe. This is what we initially started calling FizzCore.

By working with some trusted partners in the industry a few names kept coming up:

TomorrowAds: An ad agency with presence in US, Argentina, Spain, Israel

RevenueLift: Another ad agency with presence in US, Argentina, Spain. It appears to be somehow affiliated with Mango Media Partner, with shared employees and a shared location in Spain. At the time of writing this article, their website had been very recently taken down but can be found on Archive.org (LinkedIn is still up though).

These companies are responsible for buying ad traffic on one side, and obtaining access to commercial ad servers on the other side. We have no additional information on their involvement in the scheme.

The Affiliate

Reviewing tens of different celebrity-endorse “Pre-sale” pages for this bitcoin scam, we were able to associate FizzCore to two domains that are strongly tied to the rest of their infrastructure:

startlivingbetternow[.]com (Seen in Germany)

news-now[.]media (Seen in Italy and UK)

Additional evidence is available on inspection of a script on page at https://news-now[.]media/js/tag.js