Popup enlarges at the last second so users click on ads instead of 'Close' button

Trick has been used for a few months as part of an active traffic re-distribution campaign.

Malware and ransomware rise puts your data at risk For the third year running, the volume of malware attacks has increased. But there are big variations in terms of who is getting targeted, and how.

If there's one thing that cyber-criminals are good at, it's at coming up with new ideas to generate profits in the shadiest and sometimes the most original ways.

Among all criminal groups, the most creative bunch are the ones involved with the re-distribution of traffic from hacked sites. Because of the quick pace at which browser vendors tend to patch reported problems, these groups need to come up with new tricks more often than their colleagues involved with desktop or mobile malware.

Over the past few months, security researchers at Malwarebytes, who study the evolution of traffic re-distribution groups and their respective campaigns, have observed a new method that crooks are using to generate profits.

The idea behind this new method is to send unsuspecting users on malicious websites that show an ad inside a popup. Like most popups, a "close" button will be displayed in the popup's top-right corner.

Popup ad switcheroo

Image: Malwarebytes

However, when the user moves his mouse to close the popup, CSS code from that page will expand the popup and move the ad in the cursor's path, so any click on the close button will actually land on the ad instead.

Malwarebytes' Jérôme Segura explains:

The crooks use CSS code dynamically appended to the page that monitors the mouse cursor and reacts when it comes over the X. The timing is important to capture the click a few milliseconds later when the ad banner comes in focus. These client-side tricks are implemented to maximize ad profits, since revenue generated from ad clicks is much higher.

Popup ad switcheroo

Image: Malwarebytes

An animated GIF of this old switcheroo trick is embedded below.

In a report published this week, Segura said this trick was being abused by a group who has been recently involved in exploiting a WordPress plugin zero-day to take over sites.

The group planted code on these hacked sites to hijack small amounts of traffic that they'd later redirect towards various types of sites --such as tech support scams, sites performing ad fraud, or online stores hosting credit card-stealing code.

Traffic redirection diagram

Image: Malwarebytes

This trick of moving the ad in the place of a popup's close button is just the latest in a long line of sneaky gimmicks.

In the past, crooks would trigger thousands of downloads until they froze users' browsers on tech support scams, making them believe their computer had serious problems; they'd create JavaScript infinite loops to keep the CPU at 100 percent and slow down the user's computer; or they'd use custom cursors to offset the mouse click area and prevent users from closing tabs [this has been recently fixed].

Since this latest trick of quickly transposing an ad's position uses CSS code, it can't be blocked by a classic ad blocker. However, using an ad blocker would prevent the ad getting loaded inside the popup in the first place, and would make this trick useless.

More browser coverage: