What Do Hacking And Malware Have To Do With Ad Fraud?

We’ve all seen those annoying pop-ups that say “you’ve won a prize, click here NOW!” or “your device has been compromised, click here NOW!” When you try to close the pop-up, you accidentally click it, and you’ve just approved malware to be installed on your own device. 

Bad guys seem to be working overtime, especially now during the pandemic lockdowns when most folks are at home, on their personal devices. There are a number of reasons for this, including the fact that personal devices are usually less well-hardened than corporate devices, against malware and other malicious attacks. Several cyber security firms have confirmed this uptick in malvertising (malware-laced ads) since the middle of March 2020, when the quarantines began. But why do hackers spend time trying to get malware on your devices? Some do it for kicks, but most do it for the money. 

Harvesting Passwords and Personal Information

When hackers get malware onto your devices, the malicious code lurks in the background, unseen by the user. As the user goes about their daily activities on the device, personal information can be collected — for example, what sites you visit, what search terms you type, what products you look at on Amazon, etc. More importantly, when the user logs into their online banking, their logins and passwords are also harvested and sent back to the “mother ship” when the malware calls home. Other malware can encrypt files and demand payment to decrypt them - this is known as ransomware. Malware can also use the resources of your device to mine for cryptocurrency — i.e. cryptomining. Once malware is on your device it can do any number of these things that are harmful to the user, but useful and profitable for the hacker. 

BuzzFeed NewsApps Installed On Millions Of Android Phones Tracked User Behavior To Execute A Multimillion-Dollar Ad Fraud Scheme

Harvesting passwords and collecting other user behavior information doesn’t yield immediate profits for the hacker. These are usually a two step process — 1) harvest, and 2) sell on the dark web. The profitability also depends on what a buyer is willing to pay for those stolen credentials. In the past, this was lucrative enough when millions of emails and passwords can be sold for tens of pennies each. But in recent years, we’ve seen examples of large data files of such credentials simply being dumped on hacker forums, for free. Why would they dump something if they could sell it? This implies compromised passwords are so abundant and widely available they are practically worthless. 

Making Money Directly With Digital Ad Fraud

So what’s a hacker to do? Do ad fraud instead. Instead of a two-step process, ad fraud is a one-step process — i.e. it makes money directly. The malware on devices can load digital ads in the background, without the users’ knowledge or any form of interaction. The hacker gets paid for the ad impressions. The malware can also easily simulate clicks on the ads or alter the tracking data to make it look like the ads were served on legitimate websites, in which case the hacker gets paid more. 

Further, hackers love mobile devices because they are always on, and always connected to the Internet, unlike your laptop, which you turn off at night. Getting malware on mobile devices means the malware can make money from digital ads 24/7. When ad fraud becomes the dominant source of revenue, everything else is just bonus income. Hackers no longer rely on selling credentials on the dark web, profit margins unknown. Ad fraud is practically 99% pure profit because the fake digital ads cost nothing to create; and the hacker can control how much money they want to make (by instructing the malware to work harder - e.g. load 200 ads per second instead of 100). 

At-Scale Money Making For Cybercriminals

Using malware on devices, hackers can directly make money from digital ad fraud. The malware is clever enough to remain undetected for long periods of time, and capable enough to carry out a wide variety of actions on the compromised devices. Sometimes, unsuspecting consumers also download apps laced with malware. So what is the possible scale of such operations? If you think about the DDoS (distributed denial of service) attacks that overwhelmed even the largest of sites like Google, Twitter, Reddit, and Netflix, you get a sense of the scale of fraud that these botnets can achieve. Overwhelming sites with traffic was not lucrative; but using the same traffic for ad fraud is. Really, really lucrative. Hackers hack - their job is to get around your defenses and cover their tracks.

CMOs should always assume hackers can get by fraud detection tech and make the digital ads look legit; but common sense should tell you that when something is too good to be true, it probably is — in other words, when you get humongous quantities of ads at a super low price, ask how, and ask for more details from those who bought it for you.

Comments are closed.