A large-scale ad fraud operation, dubbed “Scallywag,” has been exploiting compromised WordPress plugins to generate 1.4 billion fraudulent ad requests per day, according to recent findings by HUMAN Security and BleepingComputer1. The campaign primarily targets piracy and URL-shortening sites, using malicious plugins to redirect users through ad-heavy intermediary pages disguised as blogs. This operation highlights the growing sophistication of ad fraud tactics and the vulnerabilities in widely used CMS platforms like WordPress.
Technical Breakdown of the Scallywag Operation
The Scallywag campaign relies on four primary WordPress plugins—Soralink, Yu Idea, WPSafeLink, and Droplink—to automate fraudulent ad requests1. These plugins were distributed through compromised websites, often masquerading as legitimate tools for link management. Once installed, they injected JavaScript to force-load ads in hidden iframes, simulating user engagement. The operation used domain rotation to evade detection, switching between compromised hosting providers to maintain persistence.
HUMAN Security’s intervention disrupted 95% of the fraudulent traffic, but the operators quickly adapted by registering new domains1. The scale of the operation—1.4 billion daily requests—places it among the largest ad fraud schemes documented in recent years. For context, ad fraud costs the global economy between $26 billion and $42 billion annually, with bot-driven traffic accounting for 47% of web activity3.
Parallel Threats: ClearFake Malware Campaign
Separately, a malware campaign dubbed “ClearFake” has compromised over 6,000 WordPress sites by installing malicious plugins such as Wordfence Security Classic and LiteSpeed Cache Classic2. Attackers used stolen credentials to gain admin access, then deployed fake browser update prompts to deliver infostealers like ClickFix. Other malicious plugins linked to this campaign include SEO Booster Pro and Universal Popup Plugin.
| Plugin Name | Function | Threat Type |
|---|---|---|
| Soralink | Link shortening | Ad fraud |
| Wordfence Security Classic | Fake security plugin | Infostealer delivery |
Mitigation Strategies
WordPress administrators should immediately audit their sites for unauthorized plugins and admin accounts. Key steps include:
- Enforcing multi-factor authentication (MFA) for all admin accounts
- Regularly reviewing installed plugins against known malicious lists
- Implementing real-time scanning tools like Sucuri or Wordfence
Advertisers and publishers can reduce exposure by deploying ads.txt/app-ads.txt to prevent domain spoofing and using bot detection services like HUMAN or White Ops3. Traffic anomalies, such as sudden spikes in impressions from specific domains, should trigger manual reviews.
Conclusion
The Scallywag and ClearFake campaigns demonstrate how attackers exploit WordPress’s extensibility for large-scale fraud and malware distribution. While security firms have made progress in disrupting these operations, the rapid adaptation of threat actors underscores the need for continuous monitoring and proactive defense measures. Organizations relying on WordPress should prioritize plugin vetting and access controls to mitigate these risks.
References
- “Scallywag ad fraud operation generated 1.4 billion ad requests per day,” BleepingComputer, Apr. 21, 2025.
- “Over 6,000 WordPress sites hacked to install plugins pushing infostealers,” BleepingComputer, Oct. 22, 2024.
- “Click Fraud Report 2024,” Lunio, 2024.
