Morphixx Malvertising Scam Attacks US, Japan & Europe in a Global Malicious Ad Campaign to Steal Credit Card Numbers & Generate $5 – 10 Billion in Credit Card Charges

Share Article

GeoEdge security research team first uncovered the Morphixx malicious credit card scam attack ads in Europe in June, and a full-blown auto-redirect malvertising attack with millions of ad impressions was launched in Japan on August 15th and in the US on September 6th, which was thwarted by GeoEdge

“The Morphixx malvertising credit card scam was run by an advanced and well-funded group of cybercriminals, judging by the sophistication of the ad implementation and personalization, the timing of the ads for less than 24 hours during the weekend when fewer security employees are working, and the f

This year has already been a record year for malicious advertising, with malware attack ads increasing by 85% according to ad security provider GeoEdge.

Research from the Federal Trade Commission shows that identity theft has increased by 75.4% between 2017 and 2019 with credit card scams accounting for 41.8% of the reported incidences of identity theft. And this is before accounting for the increase in 2020 as a result of COVID-19 and the laxer security resulting from more users working from home.

As these numbers attest, credit card scams have become big business. According to cyber intelligence firm Sixgill, in the first half of 2019, there were 23 million credit and debit card numbers for sale in the dark web, with 15 million of those American cards.

This has enticed multinational cybercriminal organizations to invest resources to develop and implement digital advertising-based credit card scams. The global nature and sophistication of the Morphixx malvertising attacks indicate that the perpetrators aren’t teens in their basement. And the increased digitization of payments will undoubtedly be met with a significant increase in malvertising attacks involving payment solutions.

On June 23rd, the Morphixx campaign ads were first noticed in Europe, in low volumes, and without the malicious payload. The malicious advertisers inserted keywords like ‘Adidas’ into the ad’s URL as a distraction to gain the trust of the ad networks which ran the campaign, making malicious detection more difficult (than when campaigns are run from private servers instead of known ad networks). Because the ads ran via known ad networks, they appeared on popular and trusted websites.

On June 28th, the number of ad impressions increased dramatically targeting users in the UK, Italy, Switzerland, and other countries based on their IP address with the malicious payload, according to security researchers at GeoEdge. From the initial Adidas ad, users were auto-redirected to a malicious fake ad in the colors, logo, and language of each user’s Internet Service Provider (ISP) asking them to complete a short survey. Upon completion of the survey, a congratulatory message was triggered announcing that each user won a free mobile phone for which they must submit their email and credit card details.

This is where innocent users fell pretty to the malvertising scam.

To avoid detection, the malvertisers behind Morphixx implemented a fingerprinting process to avoid detection mechanisms by loading a creativeJS file which allows the project to be downloaded quickly and cached across different sites using the same version of libraries. Next, the malicious script is loaded – an obfuscated script to set up the URL for the initiation of the redirect script.

Security researchers at GeoEdge, utilizing the company’s patented behavioral code analysis technology, content and deep landing page analysis, and advanced malware detection, uncovered the Morphixx malvertising credit card scam in Europe. The landing page with prizes and comments from 127 people, many including profile pictures, highlights the sophistication of the Morphixx malvertising efforts.

Given the elaborate personalization of the content, including branding from the user’s ISP, the percent of users who fall victim to such a scam can be as high as 1 – 2%, according to GeoEdge.

The campaign in Japan, also detected by GeoEdge’s security research team, was identical, indicating that both efforts are from the same cybercriminal organization. The number of ads served in Japan was greater than in Europe, undoubtedly influenced by the fact that Japan is a cyber-secure country and users tend to be more trusting than in Europe or North America.

On Sunday, September 6th, in the early morning hours, the Morphixx malicious credit card scam struck in the US, according to GeoEdge’s security research team.

“The Morphixx malvertising credit card scam was run by an advanced and well-funded group of cybercriminals, judging by the sophistication of the ad implementation and personalization, the timing of the ads for less than 24 hours during the weekend when fewer security employees are working, and the fact that these campaigns have run across so many geographies and time zones,” said Liran Lavi, Security Team Lead, GeoEdge. “These cybercriminals either have a network to monetize the stolen credit cards quickly OR are selling the credit card numbers on the dark web – not things teen hackers typically attempt.”

“The only way to block increasingly sophisticated and payment-based malicious ad attacks like Morphixx is through continuous and real-time advanced malware detection utilizing patented behavioral code technology,” added Liran from GeoEdge.

About GeoEdge
GeoEdge is the premier provider of ad verification and transparency solutions for the online and mobile advertising ecosystem. The company’s mission is to protect the integrity of the digital advertising ecosystem and to preserve a quality experience for users. It ensures high ad quality and verifies that sites and apps offer a clean, safe, and engaging user experience. GeoEdge guards against non-compliance, malware, inappropriate content, data leakage, operational, and performance issues.‎ Leading publishers, ad platforms, exchanges, and networks rely on GeoEdge’s automated ad verification solutions to ‎monitor and protect their ad inventory – without sacrificing revenue. The company was founded in 2010 by a team with more than two decades of hands-on technical and online media experience. To learn more, visit

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Uriah Av-Ron
+1 (646) 755-6120
Email >
Visit website