Adometry, formally Click Forensics, has uncovered a new ad hijacking scheme that requires only a visit to an infected Web site, and not a click on an ad. The virus targets search, video and display advertisers using a malware program that can self-install on a user's machine when the person visits a Web site, even if they take no other action.
Adometry's Malware Lab first identified the ad hijacking scheme in November 2010. Rather than requiring a user to download malware via a fake anti-virus program, the malware injects itself into the rootkit of a user's computer through an advertisement on a popular Web site or simply when a browser visits a particular Web site. The virus, or ad hijacking, uses similar malware and delivery methods to create a network that can commit advertising fraud through a variety of advertisements, ad networks, publishers and channels.
The malware infects the computer and receives instructions from a host to perform multiple kinds of advertising fraud, including search hijacking, display advertising impression inflation, and video advertising fraud. A search on a search engine, for example, displays results along with paid-search ads. The consumer clicks on a paid-search ad and the malware hijacks the search, delivering the person to another advertiser's ad. It's important to remember that the infected machine hijacks the search -- not the paid ad on google.com, bing.com or yahoo.com that the person who is searching clicks on.
The malware-infected computer causes organic or paid clicks to flow through a series of third-party networks and make money. "They don't do this for fun," said Steve O'Brien, vice president of marketing at Adometry. "They do it strictly to make money."
Not every company in that chain wants to participate and realizes they're part of a fraud scheme, O'Brien said. And it's really difficult to filter that stuff out because it looks legitimate. It's a "real" user and comes from a "real" browser, making it a "real" click. It takes auditing and validating third-party traffic, looking for patterns, trends, and anomalies.
For video ads, the malware hijacks an organic search and redirects the user's browser to a Web page that displays a video ad. When the video plays the advertiser pays for the impression -- typically between $30 and $50 per thousand impressions (CPM), according to Adometry.
Through what Adometry calls "display impression inflation," the malware directs the computer's browser to a variety of publisher pages showing display ads to generate fraudulent ad impressions. The user never sees these impressions, but advertisers pay full price for what they think are valid impressions because a person actually generates the traffic.