Adometry (formerly Click Forensics), a company that helps customers monitor online ad campaigns, including identifying click fraud, today said its Malware Lab has discovered a new highly sophisticated advertising fraud scheme targeting online video, display and search ads.
The attack, called “ad hijacking,” uses similar malware and infection delivery methods to create a network of computers aimed at committing advertising fraud through different kinds of advertisements and channels.
The company said that Windows is the only operating system it observed to be susceptible to infection, but said the malware can infect home firewalls, causing other systems and browsers behind the firewall to experience the search hijacking.
Adometry said its Malware Lab first identified the new ad hijacking scheme and malware delivery method in November 2010. Rather than requiring a user to download malware via a fake anti-virus program, the malware injects itself into the rootkit of a user’s computer through an advertisement on a popular web site or simply when a browser visits a particular web site. Once a user’s machine is infected, the malware receives instructions from a host to perform multiple kinds of advertising fraud, including search hijacking, display advertising impression inflation, and video advertising fraud, each working slightly differently.
• Search Hijacking – when a user enters an organic search term, the malware program re-directs the browser through different ad networks and arbitrage companies. Visitors can end up on sites they had no intention of visiting, and advertisers pay for unintentional and invalid clicks. Alternatively, visitors can reach their intended destination after being rerouted through several arbitrage networks, resulting in advertisers paying for audiences they would otherwise have for free. In addition, the malware program can be instructed to auto-click on specific ads on certain publisher sites and networks even when a browser session is inactive.
• Video Ad Fraud – the malware hijacks an organic search and redirects the user’s browser to a web page that displays a video ad. The video plays and the advertiser is charged for the impression, which can command premiums of $30-$50 per thousand impressions (CPM).
• Display Impression Inflation – hidden in the background from the user, the malware can direct the computer’s browser to various publisher pages that show display ads in order to generate fraudulent ad impressions. The user never sees these impressions, but advertisers pay full price for seemingly valid impressions because a “real” visitor generated the traffic.
“In the past, advertising fraudsters have mainly set their sights on the search advertising industry,” said Paul Pellman, CEO of Adometry. “This is the first attack we’ve seen that coordinates advertising fraud across many different online ad channels.”
Between November 2010 and May 2011, the Adometry Malware Lab has tracked the advertising scheme across many online ad networks and publishers. While difficult to quantify, the frequency with which Lab machines were infected indicates that tens or hundreds of thousands of computers are likely infected, generating millions of invalid clicks and advertising impressions per month. At the time of publishing this article, Adometry said the only antivirus program it saw was capable of preventing the malware from being installed was Kaspersky Anti-Virus 2011. An Adometry researcher demonstrates the malware in the video below