EXECUTIVE SUMMARY
Threat actors are impersonating major global brands, including financial institutions and retailers, to execute fraudulent advertising campaigns. These operations target consumers across regions like the UK and Europe by falsely claiming that trusted companies have launched online gambling products.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Threat actors are impersonating major global brands, including financial institutions and retailers, to execute fraudulent advertising campaigns. These operations target consumers across regions like the UK and Europe by falsely claiming that trusted companies have launched online gambling products.[emaillocker id="1283"]
The attackers aim to generate affiliate revenue by driving traffic to third-party online casinos. Instead of stealing data or demanding ransom, the primary objective is financial gain through user acquisition fees, effectively exploiting brand trust to deceive victims into engaging with unregulated gambling platforms.
The attack chain begins with paid social media advertisements featuring AI-generated content or stolen brand imagery, which directs users to fake landing pages mimicking official app stores. When victims attempt to install the application, they receive a Progressive Web App rather than legitimate software. This PWA creates a branded icon on the device, functioning as a browser wrapper that loads an external casino site. Attackers maintain control by embedding affiliate tracking links within the PWA, ensuring they receive payment whenever a victim registers or deposits funds into the gambling platform.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Initial Access | T1189 | Drive-by Compromise | — |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Persistence | T1547.009 | Boot or Logon Autostart Execution | Shortcut Modification |
| Defense Evasion | T1036.001 | Masquerading | Invalid Code Signature |
| Command and Control | T1102 | Web Service | — |
REFERENCES:
The reports contain further technical details:
https://www.netcraft.com/blog/branded-gambling-campaigns-how-scammers-are-exploiting-trusted-brands
https://cybersecuritynews.com/scammers-impersonate-trusted-brands/