Malware framework creates one billion fake Google Adsense ad impressions in only a few months

Google Chrome, Mozilla Firefox, and Yandex are all targets.

YouTube instructional hacking videos: To ban or not to ban YouTube removed 'instructional hacking' content from a prominent educational channel. Supporters fought back.

Researchers have revealed a new malware framework which focuses on bumping up advert impressions to generate fraudulent revenue for operators. 

On Wednesday, cybersecurity firm Flashpoint said the framework has been responsible for over one billion fraudulent Google Adsense ad impressions in the past three months alone -- and is also able to generate fake likes on YouTube videos as well as watch hidden Twitch streaming sessions. 

Google Chrome, Mozilla Firefox, and the Yandex browser are all targets on Windows machines. Infected browsers are linked into a botnet which is used to generate monthly income for fraudsters. 

See also: Malicious code hidden in advert images cost ad networks $1.13bn this year

A victim's browser is first infected by malware able to exploit security holes or vulnerabilities in the software. In the framework's first stage, a new, malicious browser extension is added or malware will download the "Patcher" module which performs this task on its behalf. 

The installer will set itself up on Windows machines as a scheduled task to maintain persistence and pretends to be associated with Windows Update by way of an XML file stored locally. 

Once the ad-impression extension is added, another component called Finder is implemented which steals browser login credentials and cookies. Finder will package this stolen data up and send it to the operator's command-and-control (C2) server. 

A separate C2 is also used to relay commands to the malware relating to how often bots check for stolen information.

The malicious extension will draw upon a number of different resources depending on which browser is in use. Adverts will be injected into browser sessions or scripts will generate traffic in the background without the knowledge of the victim.

"Most of the code in the framework is related to ad fraud and includes scripts that search and replace ad-related code on web pages [as well as] code for reporting clicks and other data to the command-and-control infrastructure," Flashpoint says. 

CNET: AT&T hit with lawsuit over sale of customers' location data

The code does not inject itself on every website a victim visits and large blacklists including Google domains and Russian websites are also implemented. A number of porn websites, too, are on the blacklist, which the researchers say is likely due to the risk of "throwing off the impressions."

Flashpoint says the largest number of installation attempts have taken place in Russia, Ukraine, and Kazakhstan.

The cybersecurity firm has provided indicators of compromise (IOCs) which can be accessed here. 

TechRepublic: Phishing alert: 80% of companies lack DMARC policies to protect against spoofing

In related news this week, a well-known Chinese Android app developer, CooTek, was banned from the Google ad platform after attempting to circumvent restrictions on ad intrusiveness. 

The developer created an advertising library which rendered phones close to unusable due to aggressive ad displays, and despite being told to refresh its apps without the library, CooTek continued to break Google's rules concerning advert prominence on Android devices.  

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0