September, 2021
by Team clean, on Sep 29, 2021 12:00:30 PM
New TI-24 Threat Detected
Thanks to our real-time behavioral solution, clean.io partners remain protected even when a new threat enters the ecosystem. In September the clean script caught & protected a new threat that entered the ecosystem called TI-24.
After behaviorally capturing new threats, clean.io's Threat Research team will conduct a full forensic audit of the entire attack including the overall architecture, delivery methods, payloads and specific triggers.
Our research found that TI-24 comes from a known group of bad actors responsible for another massive rise in threats in August. This time they used these new tactics to attempt to evade detection and place malware on users' devices:
- Multiple Layers of Cloaking by Request Parameters
- Clickjacking
- Fingerprinting
- Targeting by Device
New TI-24 Threat
TI-24’s JavaScript uses fingerprinting to scan devices to locate mobile users using a cellular connection, while hiding its malicious payload behind multiple layers of cloaking.
Users that don’t meet those conditions will be shown a “safe” ad to avoid detection.
When conditions are met, the cloaked attack will then take over the webpage with an invisible overlay that redirects users to a harmful webpage where the bad actors can steal data or install malware on the users device. This is referred to as clickjacking.
TI-24 Threat Level Snapshot
clean found that 33% of SSPs were impacted, with most attacks originating from Verizon Media.
By Sept 20, ImproveDigital and Outbrain decreased while GumGum began to see small spikes as the malvertising group likely began retargeting its campaign.
On the DSP side, 22% were impacted overall, with most of the TI-24 Attacks originating via Bidswitch, while Trade Desk accounted for a consistent 8-12% of the remaining daily threats.
Attacks primarily occurred in the United States (over 90%), but were also detected in Denmark, Italy, France, Great Britain, and Japan
As a result, 75% of our customers were targeted by this new threat, despite coming through just 2-3 SSPs, and 1-2 DSPs
September Threat Level Snapshot
- Overall, the new TI-24 threat made up less than 10% of total threats over the clean.io network in September
- TI-23, a threat known for crypto scam, surged in mid-September and made up the large majority of threats on Sept 18, 21, and 25 peak attack periods
- TI-19, a mobile in-app pixel stuffing scam continues to surge across the ecosystem
- TI-23, TI-19, and TI-01 (an in-app redirect) all saw simultaneous spikes on Sept 10