Pirate Ships as a Service: Scallywag and Enabling Digital Piracy

It’s hard to monetize digital piracy. Advertisers don’t want their brands associated with illicit activity, after all. As a result, threat actors have to get crafty with finding revenue sources to cash out and make the risks of sailing the high seas worth it for them. 

HUMAN’s Satori Threat Intelligence and Research team has disrupted Scallywag, a sophisticated ad fraud operation using a collection of WordPress extensions to monetize digital piracy with hundreds of cashout domains and URL shortening. Scallywag generates revenue for bad actors by inserting intermediary pages between a piracy catalog site and the actual streaming pirated content. These intermediate pages are loaded with ads and buttons and artifacts designed to point toward the pirated content, but only if visited the “right” way (linked from the catalog site). If an advertiser visited the intermediary page directly—as they might when reviewing campaign performance information—the site looks like a benign blog. 

Schemes like Scallywag (and Camu and Merry-Go-Round before it) prove the lengths threat actors must go to get a payout from piracy.

Honor Among Thieves: Grassroots Promotion of Scallywag WordPress Extensions

What makes Scallywag unique is its as-a-service model: the real threat is the availability of the WordPress extensions. Scallywag extensions are the tools with which aspiring digital pirates can build their own pirate ships and set sail. The threat actors behind the extensions make their money by selling access to the extensions themselves, not by collecting and distributing pirated content.

Indeed, a whole community has sprung up supporting Scallywag extensions. A search for any of the extensions on YouTube will uncover several videos offering installation instructions and guides to making the extensions as lucrative as possible. Each extension is highly customizable by the individual digital pirate, resulting in myriad different paths and patterns for a user to take to get from the catalog site to the pirated content.

Flying a Different Flag: Using Open Redirectors to Obfuscate Referrals

Fun fact: pirate ships didn’t actually fly the Jolly Roger until they were up close and personal with the ship they were targeting for an attack. They flew other flags, signaling to the targeted ship that they were friendly and could be approached. Only when the target ship was close enough not to be able to run away did the pirate ship switch to the pirate flag.

The idea of changing the flag to hide in plain sight is a part of Scallywag, too. Researchers observed several paths that included an open redirector. These redirectors “sanitized” the referrer information, changing it from the catalog site to something benign, like a social media platform or a search engine. This shift, much like a pirate flying a different flag to get closer to the target, makes it harder still for an advertiser to recognize that the traffic is not what they want to advertise on.

Policing the High Seas: Disrupting Scallywag Operations

With 1.4 billion fraudulent bid requests daily at its peak, Scallywag represents a significant case of ad fraud and digital piracy. Traffic associated with Scallywag has declined 95% since Satori researchers uncovered it and implemented measures to flag the traffic in the Human Defense Platform. Customers partnering with HUMAN for ad fraud protection remain protected from Scallywag, but threat actors continue to adapt, primarily through domain rotation.
HUMAN’s technology detects and mitigates these complex fraud schemes by design. As such, our efforts to combat Scallywag are extensive and ongoing. The threat actors have made several adaptations, but HUMAN researchers identify the changes each time and deploy new protections to enhance our platform.