A cyber security firm has uncovered a new malware framework believed to have generated over one billion fake Google Adsense ad impressions in the past three months.
US firm Flashpoint released the findings, revealing the bug had not only generated fake Google Ad impressions, but also fake likes on YouTube videos.
“A newly discovered malware framework is responsible for more than one billion fraudulent ad impressions in the past three months, generating its operators significant Google AdSense revenue on a monthly basis,” said Flashpoint’s Jason Reaves and Joshua Platt.
“The framework is designed to pad statistics on social sites and ad impressions, creating revenue for its operators who are using a botnet to attack the content and advertising platforms by spreading the malware and targeting browsers including Google Chrome, Mozilla Firefox, and Yandex’s browser.
“Content producers benefit financially from higher counts, which can lead to some unscrupulous behaviour.”
How does it work?
The malware sets itself up on user’s devices as a scheduled task and then steals browser login credentials and cookies.
It then places the adverts in browser sessions or runs scripts to generate fake traffic without the user realising.
“Most of the code in the framework is related to ad fraud and includes scripts that search and replace ad-related code on web pages [as well as] code for reporting clicks and other data to the command-and-control infrastructure,” said Reaves and Platt.
Flashpoint also found most of the fake Youtube likes are related to Russian political video, in what could be a hint to where the malware originates from.
There is also a large ‘blacklist’ of websites the bug does not infect, mostly Google domains and Russian websites, which the researchers suggest is due to the risk of “throwing off the impressions”.