If you’ve ever been redirected to a strange Q&A website that appears to be promoting cryptocurrency or other blockchain technologies, it could be part of an ad fraud scam. Since the fall of last year, thousands of infected sites have been involved in similar fraudulent schemes.
Security researchers at Sucuri have spent the past few months tracking malware that redirects users to fraudulent pages to increase Google Ads ad impressions. More than 10,000 tested sites were found to be infected, causing them to redirect visitors to other pages.
Suspicious pages often have question and answer forms that mention Bitcoin or other blockchain-related topics. Savvy users might assume that these sites are trying to sell cryptocurrencies in a pump-and-dump scheme – but Sucuri suggests that all the text is just filler, hiding the real source of income.
Many of the URLs involved appear in the browser’s address bar as if the user had clicked on a Google search result leading to the sites in question. The ploy is an attempt to disguise the redirect as a jump from search results, potentially increasing search impressions for ad revenue. However, it’s not clear if this trick works because Google doesn’t register clicks on search results that match masked redirects.
Sucuri first noticed the malware in September, but the campaign intensified after the security team’s first report in November. In 2023 alone, researchers tracked more than 2,600 infected sites redirecting visitors to more than 70 new fraudulent domains.
The scammers initially hid their real IP addresses using CloudFlare, but after the November story, they were booted by the service. Since then, they have switched to the Russian DDoS-Guard service.
The campaign mainly targets WordPress sites by exploiting existing vulnerabilities in the engine. Moreover, malicious code can be hidden due to obfuscation – masking and deliberately obfuscating the code to complicate its analysis (something similar is sometimes done by deputies in their draft laws). It can also be temporarily deactivated during administrator login. Countering the threat can be provided by two-factor authentication and keeping the engine version up-to-date.
Also, recently, attackers have faked the sites of popular programs, placing their ads on Google to spread malicious software. Avoid advertising links at the top of Google search results to download installation files for popular software.
It is better not to Google popular programs for now – hackers use Google Ads to push malicious copies of software
Source: TechSpot
