A major ad fraud operation known as “Scallywag” has been generating a staggering 1.4 billion fraudulent ad requests daily at its peak through deceptive WordPress plugins designed to monetize piracy websites.
The sophisticated scheme, recently disrupted by HUMAN’s Satori Threat Intelligence and Research team, exploited digital piracy through a collection of four WordPress extensions that redirect users through ad-laden intermediary pages before delivering the promised pirated content or shortened URLs.
Threat actors use a set of WordPress extensions called Scallywag to reroute users from URL-shortening services or piracy catalog sites to one or more intermediary cashout sites, where they display a number of advertisements, and then back to the promised pirated content or shortened URL.
.png
)
The four WordPress modules identified in the operation include Soralink (released in 2016), Yu Idea (2017), WPSafeLink (2020), and Droplink (2022), which together formed the foundation of this fraud-as-a-service ecosystem. Scallywag is particularly concerned with its accessibility and grassroots promotion.
“These extensions lower the barrier to entry for a would-be threat actor who wants to monetize content that wouldn’t generally be monetizable with advertising,” states the report.
Numerous YouTube tutorials coach aspiring digital pirates on setting up their own schemes using these plugins.
The operation employed sophisticated domain cloaking techniques, which are classified as False Representations in the Interactive Advertising Bureau’s Invalid Traffic (IVT) Taxonomy.
When ad networks or advertisers visited the intermediary cashout sites directly, they appeared as innocent blogs with normal ad placements.
However, when users arrived via piracy portals, these same sites morphed into ad-saturated pages with minimal content.
Cloaking and Open Redirectors
Technical analysis revealed that most Scallywag sites achieved this cloaking behavior through deep linking, where the piracy catalog page includes links to webforms that automatically submit and redirect users to decloaked versions of the pages.
The operation’s cashout sites employed multiple tactics to maximize ad impressions:
- Timers are forcing users to wait before proceeding.
- CAPTCHAs requiring user interaction.
- Required scrolling through entire pages.
- Multiple intermediate pages with heavy ad loads.
Scallywag operators implemented open redirectors that “sanitized” referrer information to obfuscate their activities further. These redirectors made traffic appear to originate from legitimate sources like social media platforms or search engines rather than piracy sites.
At its height, the operation spanned 407 cashout domains but has seen a dramatic 95% decline in traffic following HUMAN’s intervention.
The security firm implemented measures to flag Scallywag traffic in their Human Defense Platform, cutting off the operation’s revenue streams.
“Domain cloaking threat models continue to be a pervasive and persistent threat in the advertising landscape and are exacerbated by easy-to-configure schemes like Scallywag,” researchers noted.
Despite the significant disruption, threat actors have shown resilience by rotating domains and exploring alternative monetization methods.
Customers partnering with HUMAN for ad fraud protection remain protected, as the company continues to monitor and counteract new adaptations of the scheme.
Digital piracy remains a persistent challenge for the advertising ecosystem, with the Interactive Advertising Bureau estimating losses in the billions annually due to such fraudulent schemes.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
