Malware framework generates 1B fake ad impressions in 3 months

News by Rene Millman

A malware framework holds code that hunts for YouTube referrers and, upon finding them, injects JavaScript with code that fraudulently generates likes for videos

A new malware framework has been created by hackers that has generated more than one billion fraudulent ad impressions in the past three months.
According to a blog post by researchers at Flashpoint, features three separate stages that ultimately install a malicious browser extension designed to perform fraudulent AdSense impressions, as well as generate likes on YouTube videos and watch hidden Twitch streams.
The framework is designed to pad statistics on social sites and ad impressions, creating revenue for its operators who are using a botnet to attack the content and advertising platforms by spreading the malware and targeting browsers including Google Chrome, Mozilla Firefox, and Yandex’s browser., researchers said.
It was discovered that once a browser is infected, the initial stage of the framework executes. The installer sets up take-based persistence, either sets up a new browser extension or downloads a module that does so, and checks in on whether the installation was successful.
Once the extension executes within the browser, it begins injecting ads or generating traffic hidden to the user. The paths and code that happen after this extension data kicks in are massive and the functionality of this framework goes down a number of paths.
Researchers also discovered that the scripts do not inject every website, and most carry large blacklists of domains that are mostly Google domains and Russian websites. In addition, the scripts also attempt to avoid injects into pornographic sites, as these may throw off the impressions. The malware is concentrated in a few geographic locations, led by Russia, Ukraine, and Kazakhstan.
Joseph Carson, chief security scientist & advisory CISO at Thycotic, told SC Media UK that browser extensions have become the cyber-criminals favourite method at controlling devices and easily gaining access to sensitive personal information.  
"The ease of installing browser extensions and lack of user awareness on the risks, exposes companies to a major business risks. This means browsers could be stealing sensitive company information and sending it back to cyber-criminals.  Browser extensions have become a privacy nightmare and businesses must take appropriate action to minimise this risk," he said.
David Fraser, security specialist at converged ICT supplier GCI, told SC Media UK that like any software package that end users may require, whitelisting is critical to any organisations security posture to enable the IT department to sandbox and test for both security and compatibility before releasing as approved.  "This alone is not enough, with the evolving tactics of threat actors, it is critical to have a strategy that layers security. With good firewalling and content filtering that blocks unknown sites and known malicious sites, traffic to command and control servers can be restricted. With a managed security service that identifies that the rouge traffic is traversing an organisations network, incident responders can then identify the source of the traffic and provide root cause analysis of how this happened. With this insight, a more targeted security awareness training package can be provided to the individuals that visited the offending malicious website or clicked on the link in the email," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews