Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Fraud & Identity Theft

New Online Ad Hijacking Scheme Discovered

Adometry (formerly Click Forensics), a company that helps customers monitor online ad campaigns, including identifying click fraud, today said its Malware Lab has discovered a new highly sophisticated advertising fraud scheme targeting online video, display and search ads.

The attack, called “ad hijacking,” uses similar malware and infection delivery methods to create a network of computers aimed at committing advertising fraud through different kinds of advertisements and channels.

Adometry (formerly Click Forensics), a company that helps customers monitor online ad campaigns, including identifying click fraud, today said its Malware Lab has discovered a new highly sophisticated advertising fraud scheme targeting online video, display and search ads.

The attack, called “ad hijacking,” uses similar malware and infection delivery methods to create a network of computers aimed at committing advertising fraud through different kinds of advertisements and channels.

The company said that Windows is the only operating system it observed to be susceptible to infection, but said the malware can infect home firewalls, causing other systems and browsers behind the firewall to experience the search hijacking.

Adometry said its Malware Lab first identified the new ad hijacking scheme and malware delivery method in November 2010. Rather than requiring a user to download malware via a fake anti-virus program, the malware injects itself into the rootkit of a user’s computer through an advertisement on a popular web site or simply when a browser visits a particular web site. Once a user’s machine is infected, the malware receives instructions from a host to perform multiple kinds of advertising fraud, including search hijacking, display advertising impression inflation, and video advertising fraud, each working slightly differently.

Search Hijacking – when a user enters an organic search term, the malware program re-directs the browser through different ad networks and arbitrage companies. Visitors can end up on sites they had no intention of visiting, and advertisers pay for unintentional and invalid clicks. Alternatively, visitors can reach their intended destination after being rerouted through several arbitrage networks, resulting in advertisers paying for audiences they would otherwise have for free. In addition, the malware program can be instructed to auto-click on specific ads on certain publisher sites and networks even when a browser session is inactive.

Video Ad Fraud – the malware hijacks an organic search and redirects the user’s browser to a web page that displays a video ad. The video plays and the advertiser is charged for the impression, which can command premiums of $30-$50 per thousand impressions (CPM).

Display Impression Inflation – hidden in the background from the user, the malware can direct the computer’s browser to various publisher pages that show display ads in order to generate fraudulent ad impressions. The user never sees these impressions, but advertisers pay full price for seemingly valid impressions because a “real” visitor generated the traffic.

“In the past, advertising fraudsters have mainly set their sights on the search advertising industry,” said Paul Pellman, CEO of Adometry. “This is the first attack we’ve seen that coordinates advertising fraud across many different online ad channels.”

Between November 2010 and May 2011, the Adometry Malware Lab has tracked the advertising scheme across many online ad networks and publishers. While difficult to quantify, the frequency with which Lab machines were infected indicates that tens or hundreds of thousands of computers are likely infected, generating millions of invalid clicks and advertising impressions per month. At the time of publishing this article, Adometry said the only antivirus program it saw was capable of preventing the malware from being installed was Kaspersky Anti-Virus 2011. An Adometry researcher demonstrates the malware in the video below


Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.