The campaign is spread via a high profile malvertising chain that typically redirects victims to exploit kits but this time redirects users from high trafficked adult site to what appears to be an adult video streaming page but is actually a paid advertisement which generates revenue from each impression and click, according to a 10 January blog post.
The goal of the campaign is to generate money from impressions and clicks from what look like clean and trusted traffic, researchers said in the post. Researchers noted the crooks behind the campaign were also concerned about click fraud and took precautions to ensure all of the clicks and impressions came from real users and not bots.
The software used in the campaign tracks the movements and clicks of a user's mouse and are able to decipher between actual users and bots and if a bot is identified, the page redirects it to google.com instead of one of the dummy pages which generate revenue.
Researchers also spotted the campaign “fingerprinting” visitors upon the initial redirection from malvertising to collect their IP address User-Agent, and screen resolution via a POST request, to identify real users versus crawlers or repeated visits of the same page, the post said.
The campaign also use filters to weed out bots or machines that are already blacklisted. The researchers notified Google and passed along the necessary information concerning the abuse of their ad platform
“The problem remains that there is an ever growing concern from both users (adopting ad blockers at a fast pace) and advertisers, getting less and less bang for their buck,” Malwarebytes lead malware intelligence analyst Jérôme Segura said in the post. “Just like with malvertising, as long as there is an economic gain, criminals will keep on pursuing their abuse to exploit advertising as a unique and profitable fraud and infection vector.”