Billion of fake ad impressions created by malware

Researchers have discovered a new type of malware that creates false ad impressions to generate fraudulent ad revenues. In a few months, the malware created more than a billion false impressions, ZDNet knows.

Last Wednesday, cyber security company Flashpoint reported that the malware has been responsible for a billion false Google Adsense impressions in three months. The targets of the Windows malware include Google Chrome, Mozilla Firefox and the Yandex browser. Infected browsers are linked to a botnet, which creates monthly false revenues for criminals by illegally pushing up the number of ad impressions.

A victim’s browser is first infected by malware that is capable of exploiting security holes or vulnerabilities in the software. In this first phase, a new malicious browser extension is added or the “Patcher” module, which performs this task for the malware, is downloaded. On Windows, the installer for this module will pretend to be a scheduled normal task, behaving as if it were linked to Windows Update (so the program will eventually run automatically).

Injection of ad impressions

Once the malignant extension is added, another component is implemented under the name Finder, which steals browser login information as well as cookies. Finder then sends the data to the operator’s command and control server (C2). A separate C2 is also used to pass on commands to the malware, for example to set how often bots check for stolen information. Advertisements are then injected, as it were, into browser sessions. Also, scripts sometimes generate traffic in the background to create false impressions without the user being aware of them at all.

The code does not place itself on every website a victim visits. The malware also uses blacklists, on which for example Google domains and Russian websites can be found. Flashpoint reports that the largest number of installation attempts have taken place in Russia, Ukraine and Kazakhstan.