Ad Malware Fraud


Ad fraud malware is one of the more profitable specialities in the cyber crime world, and the attackers who use it often have to adapt their tactics in order to keep the money rolling in. One of the tactics that they have adopted in recent months is that of updating the version of Flash that’s installed on an infected machine.

This technique is not something unique to ad fraud malware. Attackers have been known to patch the vulnerabilities they exploited to get on to a given machine as a way to keep other hackers out and some malware strains have been seen doing this, too. But the motivation for doing this likely is somewhat different for criminals using ad fraud malware. In their case, they’re not so much interested in the cleanliness of the machine as they are in the ads a user sees being displayed correctly.

That’s where the move to update Flash comes in.

Flash is required to play many video ads in browsers, and most modern browsers won’t run Flash content if the version that’s installed is too far out-of-date. This is designed to protect users against exploits targeting older Flash versions, but it also cuts into the profits of ad fraud crews that rely on fraudulent views or clicks on ads to make money. A malware researcher who uses the name Kafeine said he has seen versions of the Kovter ad fraud malware updating Flash to the most recent version in order to make sure video ads will play.

Ad fraud networks are a serious problem for site owners and advertisers, both of whom lose money when bots are used to click on or view ads.

“Modern ad-fraud bots don’t directly click on ads as many may expect. Instead they use low quality PPC exchanges to route their traffic to publishers who pay these exchanges for traffic. Once the bot lands on the publisher’s site, it automatically defrauds all the ad impressions on the site (and in some cases the video ads as well),” Sergei Frankoff of security firm Sentrant wrote in an explanation of how such networks operate.

Ad fraud malware such as Kovter and Bedep have close relationships with exploit kits, namely Angler and Fiesta, both of which are used often to drop these payloads. A group of attackers using Kovter from behind some domains in China recently began dropping the malware from the Nuclear exploit kit, a change from their previous use of Fiesta, according to Brad Duncan, a security researcher at Rackspace and handler at the SANS Internet Storm Center.

That group uses domains for the exploit kit that change several times per day and uses the familiar recipe of compromised web sites and injected javascript in order to infect users.

“During a full infection chain, the traffic follows a specific chain of events.  The compromised website has malicious javascript injected into the page that points to a URL hosted on a BizCN-registered gate domain.  The gate domain redirects traffic to Nuclear EK on  If a Windows host running the web browser is vulnerable, Nuclear EK will infect it,” Duncan wrote.