Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Fraud & Identity Theft

New Online Ad Hijacking Scheme Discovered

Adometry (formerly Click Forensics), a company that helps customers monitor online ad campaigns, including identifying click fraud, today said its Malware Lab has discovered a new highly sophisticated advertising fraud scheme targeting online video, display and search ads.

The attack, called “ad hijacking,” uses similar malware and infection delivery methods to create a network of computers aimed at committing advertising fraud through different kinds of advertisements and channels.

Adometry (formerly Click Forensics), a company that helps customers monitor online ad campaigns, including identifying click fraud, today said its Malware Lab has discovered a new highly sophisticated advertising fraud scheme targeting online video, display and search ads.

The attack, called “ad hijacking,” uses similar malware and infection delivery methods to create a network of computers aimed at committing advertising fraud through different kinds of advertisements and channels.

The company said that Windows is the only operating system it observed to be susceptible to infection, but said the malware can infect home firewalls, causing other systems and browsers behind the firewall to experience the search hijacking.

Adometry said its Malware Lab first identified the new ad hijacking scheme and malware delivery method in November 2010. Rather than requiring a user to download malware via a fake anti-virus program, the malware injects itself into the rootkit of a user’s computer through an advertisement on a popular web site or simply when a browser visits a particular web site. Once a user’s machine is infected, the malware receives instructions from a host to perform multiple kinds of advertising fraud, including search hijacking, display advertising impression inflation, and video advertising fraud, each working slightly differently.

Search Hijacking – when a user enters an organic search term, the malware program re-directs the browser through different ad networks and arbitrage companies. Visitors can end up on sites they had no intention of visiting, and advertisers pay for unintentional and invalid clicks. Alternatively, visitors can reach their intended destination after being rerouted through several arbitrage networks, resulting in advertisers paying for audiences they would otherwise have for free. In addition, the malware program can be instructed to auto-click on specific ads on certain publisher sites and networks even when a browser session is inactive.

Video Ad Fraud – the malware hijacks an organic search and redirects the user’s browser to a web page that displays a video ad. The video plays and the advertiser is charged for the impression, which can command premiums of $30-$50 per thousand impressions (CPM).

Display Impression Inflation – hidden in the background from the user, the malware can direct the computer’s browser to various publisher pages that show display ads in order to generate fraudulent ad impressions. The user never sees these impressions, but advertisers pay full price for seemingly valid impressions because a “real” visitor generated the traffic.

“In the past, advertising fraudsters have mainly set their sights on the search advertising industry,” said Paul Pellman, CEO of Adometry. “This is the first attack we’ve seen that coordinates advertising fraud across many different online ad channels.”

Advertisement. Scroll to continue reading.

Between November 2010 and May 2011, the Adometry Malware Lab has tracked the advertising scheme across many online ad networks and publishers. While difficult to quantify, the frequency with which Lab machines were infected indicates that tens or hundreds of thousands of computers are likely infected, generating millions of invalid clicks and advertising impressions per month. At the time of publishing this article, Adometry said the only antivirus program it saw was capable of preventing the malware from being installed was Kaspersky Anti-Virus 2011. An Adometry researcher demonstrates the malware in the video below


Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.