{
	"id": "557ed001-514f-4eb7-a795-83b66081c396",
	"created_at": "2026-04-06T00:20:00.367874Z",
	"updated_at": "2026-04-10T13:11:53.813807Z",
	"deleted_at": null,
	"sha1_hash": "306084011312d5977551a04f75402d2243697a18",
	"title": "Associated Press, ESPN, CBS among top sites serving fake virus alerts",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 420096,
	"plain_text": "Associated Press, ESPN, CBS among top sites serving fake virus\r\nalerts\r\nBy Jérôme Segura\r\nPublished: 2023-11-30 · Archived: 2026-04-05 17:51:33 UTC\r\nScamClub is a threat actor who’s been involved in malvertising activities since 2018. Chances are you probably\r\nran into one of their online scams on your mobile device.\r\nConfiant, the firm that has tracked ScamClub for years, released a comprehensive report in September while also\r\ndisrupting their activities. However, ScamClub has been back for several weeks, and more recently they were\r\nbehind some very high profile malicious redirects.\r\nThe list of affected publishers includes the Associated Press, ESPN and CBS, where unsuspecting readers are\r\nautomatically redirected to a fake security alert connected to a malicious McAfee affiliate.\r\nScamClub is resourceful and continues to have a deep impact on the ad ecosystem. While we could not identify\r\nprecisely which entity served the ad, we have reported the website used to run the fake scanner to Cloudflare\r\nwhich immediately took action and flagged it as phishing.\r\nForced redirects\r\nMastodon user Blair Strater (@r000t@fosstodon.org) was simply browsing the Associated Press website on his\r\nphone when he was suddenly redirected to a fake security scan page:\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/11/associated-press-espn-cbs-among-top-sites-serving-fake-virus-alerts\r\nPage 1 of 7\n\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/11/associated-press-espn-cbs-among-top-sites-serving-fake-virus-alerts\r\nPage 2 of 7\n\nMalicious redirect from APnews.com (credit Blair Strater)\r\nThis fake scanner is not run by McAfee, but the domain name systemmeasures[.]life that we see in the address bar\r\nis the landing page that redirects to one of its affiliates. That affiliate was previously reported but continues\r\nunabated.\r\nWeb traffic between malicious page and McAfee site\r\nBased on public data, several ad exchanges were abused to deliver this fake antivirus campaign via real-time\r\nbidding (RTB) in the past few weeks Most of the telemetry we saw from our Malwarebytes user base was related\r\nto smaller websites with ‘risky’ advertisers. However, a different campaign was targeting mobile users with\r\nmalicious ads slipping by on top publishers (note: this data comes from VirusTotal):\r\nESPN.COM (1.585B monthly visits)\r\nsystemmeasures[.]life/avs/en/mob/mcafee-2.php?c=5uz3hbaiz7oz2\u0026k=b47648817b492be8ba9c7dc97addefb6\u0026coun\r\nAPNEWS.COM (307.2M monthly visits)\r\nsystemmeasures[.]life/avs/en/mob/mcafee-2.php?c=59z40b4g6z7oz2\u0026k=506222e0611d62c3261b9ba847063faa\u0026cou\r\nCBSSPORTS.COM (265.1M monthly visits)\r\nsystemmeasures[.]life/avs/en/mob/mcafee-2.php?c=5uz16jptz7oz2\u0026k=d2761f12fed2ce8472ab704fd55d49e1\u0026coun\r\nMost of the public reports ([1], [2], [3]) indicate this campaign was at its peak around November 19. To be clear,\r\nAP, ESPN, CBS and other sites were not hacked, but rather showed malicious ads. It appears that this high profile\r\ncampaign stopped shortly after, as we haven’t seen new telemetry data coming from these publishers. However,\r\nthe other campaign we are also monitoring that is affecting smaller sites is still ongoing (via\r\neu[.]vulnerabilityassessments.life and us.vulnerabilityassessments[.]life).\r\nConnection with ScamClub\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/11/associated-press-espn-cbs-among-top-sites-serving-fake-virus-alerts\r\nPage 3 of 7\n\nWe were able to connect this campaign to the ScamClub infrastructure because of another domain\r\n(trackmaster[.]cc) that was previously mentioned as belonging to the threat actor. We can see the relationship\r\nbetween systemmeasures[.]life (the landing page) and trackmaster[.]cc (the intermediary domain) in the urlscanio\r\nsubmission below:\r\nurlscanio scan showing the relationship between two domains\r\nFingerprinting\r\nLike other malvertising threat actors, ScamClub dabbles in obfuscation and evasion techniques. However, as\r\npreviously detailed by Confiant, they are using much more advanced tricks. Their JavaScript uses obfuscation\r\nwith changing variable names, making identification harder.\r\nPreviously, the malicious JavaScripts were hosted on Google’s cloud but they have now moved to Azure’s CDN.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/11/associated-press-espn-cbs-among-top-sites-serving-fake-virus-alerts\r\nPage 4 of 7\n\nScamClub’s malicious JavaScript\r\nMalvertising and mobile users\r\nOn this blog, we have covered a number of malvertising campaigns targeting Desktop, both consumer and\r\nenterprise. This is in part because we hunt for Windows malware and the occasional Mac ones too.\r\nScamClub is a good example of targeting a big market segment, Mobile Web, where security software is often an\r\nafterthought, in particular on iOS, in part due to restrictions imposed by Apple. Clearly, malvertising is flourishing\r\non Mobile and users are just as likely, if not more, to get tricked into downloading malware or get scammed.\r\nMalwarebytes for Android protects users from this campaign:\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/11/associated-press-espn-cbs-among-top-sites-serving-fake-virus-alerts\r\nPage 5 of 7\n\nIndicators of Compromise\r\nScamClub URLs\r\noctob[.]azureedge[.]net/oc.jslzi[.]azureedge[.]net/lz.jstinlc[.]azureedge[.]net/pt.jsbm-rb[.]azureedg\r\nScamClub JavaScript hashes\r\nc01716e23f633b206147efbe70fb37945e3857d6575fd088ea50106fb541cf1e\r\n899cbfbd676159201b2281d9e0e66f3ac200ac58b674375bde04083ff87650ad\r\n451b48c8f247f25cd09a1bf4a52fc195a74830d88bd2ffed7a5d4b7830e10621\r\n495304b489cecd33188ca2a7407d397996fd82ea99966e7c145f0dc67ab2dfb5\r\na616fc2c1a075170d4decdb9d3c9ad15f2cfbcfda78dbe4c60d72132b9d006c9\r\n34f15ec739df72f5ac245db3fff11ea56407e95b94e24bbb820d7999032866d8\r\na7a73d3bc716346808b2ee8070dfe5842bb01e10aee1fa9ba87fb975d71d0f4f\r\nde2f1745cdfbe58266b804961bdbd5be8f533843ed7fdf4b5fe6eb0060876b56\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/11/associated-press-espn-cbs-among-top-sites-serving-fake-virus-alerts\r\nPage 6 of 7\n\n1614786dd6ff4189975e8226ab7e68d258817b435c3c4e145951f5147699878e\r\n52cd9f2ff282354c77087b204d5cb32cee9066e8eea4e3c3b8f7cf4d3d3fa20f\r\ndf03df284bfbbe006383f26c0c91394f4c4c8d915d04b868a00954f63e6163e0\r\n2f3867d33c448b941278671df9a2b8d3d6b29dec5d74b67654f5edfcc6771575\r\n243d9d70703644f3df148e7633f3ec461a9c43149ea58fd547e2e6fd0c47cce5\r\nRedirectors\r\ntrackmaster[.]cc\r\nprotectsystemtools[.]life\r\nsecuritypatch[.]life\r\nreal-time-system-monitoring[.]life\r\nthreatdetectorhub[.]life\r\nthreatdetectorhub[.]online\r\nvulnerabilityassessments[.]life\r\nstrike-it-lucky[.]space\r\ngolden-opportunity[.]xyz\r\nstroke-of-luck[.]xyz\r\nblessed-with-luck[.]space\r\nsystem-scan-tool[.]space\r\nsystem-security-scan[.]buzz\r\nsystem-security-scan[.]net\r\nsystem-scan-tool[.]online\r\ntrk6[.]kokamedia[.]com\r\ntracklinker[.]space\r\ntrackmenow[.]life\r\ntrackify[.]world\r\ntrackinghub[.]info\r\ntrkmyclk[.]xyz\r\ntrk-server[.]xyz\r\n34.74.68[.]195\r\nScam landing pages\r\nsystemmeasures[.]lifexyzcreators[.]xyz\r\nSource: https://www.malwarebytes.com/blog/threat-intelligence/2023/11/associated-press-espn-cbs-among-top-sites-serving-fake-virus-alerts\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/11/associated-press-espn-cbs-among-top-sites-serving-fake-virus-alerts\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.malwarebytes.com/blog/threat-intelligence/2023/11/associated-press-espn-cbs-among-top-sites-serving-fake-virus-alerts"
	],
	"report_names": [
		"associated-press-espn-cbs-among-top-sites-serving-fake-virus-alerts"
	],
	"threat_actors": [
		{
			"id": "38d454f7-6689-443b-939e-062054a229b1",
			"created_at": "2023-12-03T02:00:05.152067Z",
			"updated_at": "2026-04-10T02:00:03.487236Z",
			"deleted_at": null,
			"main_name": "ScamClub",
			"aliases": [],
			"source_name": "MISPGALAXY:ScamClub",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434800,
	"ts_updated_at": 1775826713,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/306084011312d5977551a04f75402d2243697a18.pdf",
		"text": "https://archive.orkl.eu/306084011312d5977551a04f75402d2243697a18.txt",
		"img": "https://archive.orkl.eu/306084011312d5977551a04f75402d2243697a18.jpg"
	}
}