Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Fraud & Identity Theft

New Online Ad Hijacking Scheme Discovered

Adometry (formerly Click Forensics), a company that helps customers monitor online ad campaigns, including identifying click fraud, today said its Malware Lab has discovered a new highly sophisticated advertising fraud scheme targeting online video, display and search ads.

The attack, called “ad hijacking,” uses similar malware and infection delivery methods to create a network of computers aimed at committing advertising fraud through different kinds of advertisements and channels.

Adometry (formerly Click Forensics), a company that helps customers monitor online ad campaigns, including identifying click fraud, today said its Malware Lab has discovered a new highly sophisticated advertising fraud scheme targeting online video, display and search ads.

The attack, called “ad hijacking,” uses similar malware and infection delivery methods to create a network of computers aimed at committing advertising fraud through different kinds of advertisements and channels.

The company said that Windows is the only operating system it observed to be susceptible to infection, but said the malware can infect home firewalls, causing other systems and browsers behind the firewall to experience the search hijacking.

Adometry said its Malware Lab first identified the new ad hijacking scheme and malware delivery method in November 2010. Rather than requiring a user to download malware via a fake anti-virus program, the malware injects itself into the rootkit of a user’s computer through an advertisement on a popular web site or simply when a browser visits a particular web site. Once a user’s machine is infected, the malware receives instructions from a host to perform multiple kinds of advertising fraud, including search hijacking, display advertising impression inflation, and video advertising fraud, each working slightly differently.

Search Hijacking – when a user enters an organic search term, the malware program re-directs the browser through different ad networks and arbitrage companies. Visitors can end up on sites they had no intention of visiting, and advertisers pay for unintentional and invalid clicks. Alternatively, visitors can reach their intended destination after being rerouted through several arbitrage networks, resulting in advertisers paying for audiences they would otherwise have for free. In addition, the malware program can be instructed to auto-click on specific ads on certain publisher sites and networks even when a browser session is inactive.

Video Ad Fraud – the malware hijacks an organic search and redirects the user’s browser to a web page that displays a video ad. The video plays and the advertiser is charged for the impression, which can command premiums of $30-$50 per thousand impressions (CPM).

Display Impression Inflation – hidden in the background from the user, the malware can direct the computer’s browser to various publisher pages that show display ads in order to generate fraudulent ad impressions. The user never sees these impressions, but advertisers pay full price for seemingly valid impressions because a “real” visitor generated the traffic.

“In the past, advertising fraudsters have mainly set their sights on the search advertising industry,” said Paul Pellman, CEO of Adometry. “This is the first attack we’ve seen that coordinates advertising fraud across many different online ad channels.”

Advertisement. Scroll to continue reading.

Between November 2010 and May 2011, the Adometry Malware Lab has tracked the advertising scheme across many online ad networks and publishers. While difficult to quantify, the frequency with which Lab machines were infected indicates that tens or hundreds of thousands of computers are likely infected, generating millions of invalid clicks and advertising impressions per month. At the time of publishing this article, Adometry said the only antivirus program it saw was capable of preventing the malware from being installed was Kaspersky Anti-Virus 2011. An Adometry researcher demonstrates the malware in the video below


Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.