Researchers at Sucuri have identified two related malware-based ad fraud campaigns, one of which generates profits via clickjacking techniques.
Researchers at Sucuri have identified two related malware-based ad fraud campaigns, one of which generates profits via clickjacking techniques.

Researchers have discovered two connected advertising fraud campaigns that compromise legitimate web sites and abuse Google AdSense, using tactics that are almost polar opposites of each other. While one campaign obtrusively places advertisements over web content, compelling users to click on them, the other attempts to generate clicks by furtively hiding ads underneath a free gift offer.

According to a Tuesday blog post, researchers at Sucuri detected both malware-driven campaigns, which appear to be either perpetrated by or linked to Indonesian hackers who have defaced some of the websites that also displayed the fraudulent ads.

The first fraud campaign infects websites with a malicious JavaScript code that create “div elements” containing Google ads that obscure the actual content that visitors want to read. (A div element defines specific divisions or sections in an HTML document.) “Even if you resize or scroll the page, the ads will not go away and continue to hide a large part of the legitimate page content,” the blog post explains.

Visitors who click on the nuisance ads in hopes they will disappear are actually playing right into the hands of the fraudsters, who profit with every click generated as they essentially steal from legitimate advertisers.

The campaign infects sites with the malware either by inserting an iframe directly into their HTML code or by appending the script to legitimate JavaScript files, Sucuri reported. The malicious script is platform-agnostic and successfully compromises sites running on a variety of content management systems, as well as pure HTML sites.

The malware is designed to collect data from a site visitor's device, establish that visitor's location, and then connect with a malicious URL to determine if the visitor's profile matches criteria established by the cybercriminals. If the visitor is an ideal target, the malware generates JSON code containing a Google AdSense client ID and an ad slot ID to build an ad on the spot.

The AdSense client ID was exactly the same on every infected site that Sucuri observed, and even works on sites that already had their own AdSense blocks. This constitutes a flagrant abuse of Google's AdSense policy, which allows a publisher to place its ad code on the same pages that another publisher's code resides on, but only with the permission of the site's owner, the Sucuri blog post explains. 

"We take all forms of invalid activity and traffic very seriously, which is why we invest heavily in technology and resources to keep bad ads, bad sites and bad traffic out of our platforms," said a Google spokesperson, in a statement provided to SC Media. "We have extensive policies in place to protect users from harmful content across our networks and enforce those policies vigorously."

Sucuri reported that some of the sites compromised by the script were later re-infected with a clickjacking malware that creates unwanted Google AdSense ad blocks and hides them underneath a different ad. The ad Sucuri researchers could see was offering a free gift opportunity, but visitors who click on this lure are actually clicking on the ad concealed beneath it.

The hidden AdSense blocks, which are actually hard-coded directly into the <head> section of affected web pages, are invisible because the fraudsters have programmed them with an opacity of zero, meaning they are fully transparent.

Strangely, most of the sites that Sucuri researchers found infected with this malware were defaced by Indonesian hackers. (The blog post doesn't explain the nature of the defacement, but it does note that the IP address linked to the JavaScript malware used in the first ad fraud attack points to a server located in Singapore, a "natural" choice for a cybercriminal based in Indonesia).

Denis Sinegubko, Sucuri blog post author and senior malware researcher, said that the ad injections may also be the work of Indonesian hackers “who might be experimenting with monetization of the sites that they hack. Maybe not the same group, but someone from that region with a similar background.”

In April 2016, Google published a blog post that acknowledged the growing threat of clickjacking and reported the company's efforts to defend its ad services. "Our clickjacking defenses operate at considerable scale, analyzing display ad placements across mobile and desktop platforms, evaluating a variety of characteristics," the blog post states. "When our system detects a clickjacking attempt, we zero in on the traffic attributed to that placement, and remove it from upcoming payment reports to ensure that advertisers are not charged for those clicks."