{"id":597,"date":"2026-04-14T16:04:08","date_gmt":"2026-04-14T16:04:08","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=597"},"modified":"2026-04-14T16:04:08","modified_gmt":"2026-04-14T16:04:08","slug":"ai-driven-pushpaganda-scam-exploits-google-discover-to-spread-scareware-and-ad-fraud","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=597","title":{"rendered":"AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware and Ad Fraud"},"content":{"rendered":"
\n
<\/a><\/div>\n

Cybersecurity researchers have unmasked a novel ad fraud scheme that has been found to leverage search engine poisoning (SEO) techniques and artificial intelligence (AI)-generated content to push deceptive news stories into\u00a0Google’s Discover\u00a0feed<\/a> and trick users into enabling persistent browser notifications that lead to scareware and financial\u00a0scams.<\/p>\n

The campaign, which has been found to target the personalized content feeds of Android and Chrome users, has been\u00a0codenamed Pushpaganda<\/strong> by HUMAN’s Satori Threat Intelligence and Research\u00a0Team.<\/p>\n

\u00abThis operation, named for push notifications central to the scheme, generates invalid organic traffic from real mobile devices by tricking users into subscribing to enabling notifications that presented alarming messages,\u00bb researchers Louisa Abel, Vikas Parthasarathy, Jo\u00e3o Santos, and Adam\u00a0Sell said<\/a> in a report shared with The Hacker\u00a0News.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

At its peak, about 240 million bid requests have been associated with 113 domains linked to the campaign\u00a0over a seven-day\u00a0period. The\u00a0threat, although observed targeting India, has since expanded to other regions like the U.S., Australia, Canada, South Africa, and the\u00a0U.K.<\/p>\n

The findings demonstrate how threat actors abuse AI to hijack trusted discovery surfaces and turn them into delivery vehicles for scareware, deepfakes, and financial fraud, Gavin Reid, chief information security officer at HUMAN, said. Google\u00a0has since rolled out a fix to address the spam\u00a0issue.<\/p>\n

The entire scheme hinges on the scammers luring unsuspecting users through Google Discover to trick them into visiting misleading news stories filled with AI-generated content. Once\u00a0a user lands on one of the actor-controlled domains, they are coerced into enabling push notifications that deliver fake legal threats and\u00a0scams.<\/p>\n

Specifically, the scareware notifications, once clicked, redirect users to additional sites operated by the threat actors, generating organic traffic to ads embedded in those sites and enabling them to generate illicit\u00a0revenue.<\/p>\n

\"\"<\/a><\/div>\n

This is not the first time threat actors have weaponized push notifications to redirect to sketchy websites. In\u00a0September 2025, Infoblox shed light on a threat actor known\u00a0as Vane\u00a0Viper that has engaged in systematic push notification abuse to serve ads and facilitate ClickFix-style social engineering campaigns.<\/p>\n

\u00abMalware-based threats involving push notifications, both for web and mobile platforms, aren’t a novel threat, especially when you consider the way in which they create a sense or urgency,\u00bb Lindsay Kaye, vice president of threat intelligence at HUMAN Security, told The Hacker News. \u00abIn many cases, users are quick to click, either to make them go away or to get more information, making them an effective tool in a malware author’s\u00a0arsenal.\u00bb<\/p>\n

The disclosure also comes a little over a month after HUMAN identified a collection of more than 3,000 domains and 63 Android apps that it said constituted one of the largest ad fraud laundering marketplaces ever uncovered. Dubbed\u00a0Low5 for its use of HTML5-based game and news sites, the operation has been found to monetize the domains\u00a0as cashout sites for sophisticated fraud schemes,\u00a0including BADBOX\u00a02.0.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abThe operation peaked at roughly 2 billion bid requests a day and may have operated on as many as 40 million devices worldwide,\u00bb the\u00a0company said<\/a>. \u00abApps associated with Low5 include code that instructs user devices to visit one of the domains connected with the scheme and click on ads found\u00a0there.\u00bb<\/p>\n

Cashout sites, also called ghost sites, are used to conduct content-driven fraud, where the attackers use bogus sites and apps to sell space to advertisers who may assume their ads will be viewed by humans. The\u00a0Android apps in question have been removed from the Google Play\u00a0Store.<\/p>\n

\u00abA shared monetization layer spanning more than 3,000 domains allows multiple threat actors to plug into the same infrastructure, creating a distributed laundering system that increases threat resilience, complicates attribution, and enables rapid replication,\u00bb HUMAN\u00a0added.<\/p>\n

\u00abA key takeaway from this research is that monetization infrastructure can survive even after a specific fraud campaign is shut down. If\u00a0one malicious app or device network is removed, the same cashout domains can still be reused by other actors. Low5\u00a0reinforces the need for continuous, aggressive threat intelligence and detection expertise to hunt down cashout domains and flag them\u00a0pre-bid.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Cybersecurity researchers have unmasked a novel ad fraud scheme that has been found to leverage search engine poisoning (SEO) techniques and artificial intelligence (AI)-generated content to push deceptive news stories…<\/p>\n","protected":false},"author":1,"featured_media":598,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[403,1219,430,250,2,1218,595,1220,262],"class_list":["post-597","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-aidriven","tag-discover","tag-exploits","tag-fraud","tag-google","tag-pushpaganda","tag-scam","tag-scareware","tag-spread"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/597","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=597"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/597\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/598"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=597"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=597"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=597"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}