Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
We have already talked about why click fraud is not giving up its positions, but only increasing its pressure. All because of the constant improvement of fraudulent schemes and malware by fraudsters, ignoring the problem of click fraud by brands and companies, as well as overly intrusive advertising, which worsens the situation.
Today we will provide examples of real cases of click fraud and other click fraud that have caused millions and billions of dollars in damage to advertisers around the world.
Contents
1. Example 1. Coinminer and Malvertising
2. Example 2: Thai WeChat Click Farm
3. Example 3. We Purchase Apps* and imitation
4. Example 4. HummingBad and surveillance
5. Example 5. Chamois and hidden applications
6. Example 6. Zirconium and redirects
7. Example 7. Chameleon and pseudo-views of advertising
8. Example 8. Methbot and website spoofing
9. Example 9. Video ad that drained smartphone battery
10. Botfaqtor solution and protection against click fraud
The creators of the Coinminer virus used it to mine bitcoins, illegally exploiting the computers of victims who accidentally downloaded it to their devices, for example, along with a malicious attachment in an email.
Reference: The Coinminer virus belongs to the Trojan family. Activity - since 2011. It hijacks users' web browsers, replaces the display of information, steals personal data, logins, passwords.
Signs of the presence of the Coinminer virus on the device:
In fact, it is a whole family of viruses used for various fraudulent operations.
In December 2017, cybersecurity experts discovered that attackers were distributing Coinminer via a Google Chrome browser extension and Facebook messages (owned by Meta, an organization banned in Russia). Experts identified at least two variants of the malware distributed via social network messages. Malware archives were uploaded to Facebook servers before the stage of sending links in a conversation, so when a user received a message, the download link actually came from the social network.
The attackers sent messages via a malicious Chrome extension that was first installed in the user's browser and then used the Facebook Messages API. The malware extracted the user's friends list and sent dangerous messages.
By the time all leading antivirus programs quickly added detection to their algorithms, Coinminer was already distributed on many user devices and was bringing in significant income to advertising scammers generating bitcoins.
Reference: Click farms look like this: dozens of smartphones, usually old models and OS versions, installed on racks in several rows (like in a mobile phone store) and managed by just a couple of people. While these people work almost around the clock to earn at least some means of subsistence, the fraudsters - the owners of click farms - receive colossal incomes.
In 2017, a click farm was discovered during a police raid in Thailand, on the border with Cambodia. The police found out that the farm contained 300 thousand SIM cards, 400 of which were installed in iPhone smartphones.
The police photos make it clear that the comfort of the people working there was not a consideration, and they are a perfect illustration of how click fraud is a huge problem for both advertisers and consumers.
The purpose of this click farm was to promote products on the Chinese market sold through WeChat. The performers controlled the actions of a large number of bots according to a specific algorithm on the platform.
Help: WeChat is not just an exchange of text and voice messages, but also an entire social platform that is a messenger, a browser, an OS for mobile phones, and a social network.
In 2017, founders of startups that create mobile apps for Android and have a large user base received emails from representatives of a company called We Purchase Apps. They were offered a meeting about purchasing “potentially profitable apps.”
Upon closer inspection, it turned out that this was a scam. The letter from this company listed a UK phone number, although the office was registered in New York, which turned out to be someone's private home. When searching for any information about the company on Google, the results were modest, if any. This was the alarm bell for most honest developers.
Doubts also arose among developers of simple applications, such as mobile games or selfies, who nevertheless agreed to the deal. For a tidy check, they allowed the new owners to do whatever they wanted.
Well, then the scammers associated with We Purchase Apps monitored the behavior of users of purchased apps in order to program bots to imitate the actions of real people. This was done with one goal - for click fraud and deception of advertisers.
If it weren't for Buzzfeed News, which exposed this criminal scheme, the scammers would have continued their activities. And the large platforms where all this happened would have stayed on the sidelines and would have done nothing if it hadn't been for the publicity, experts believe.
Although Asia is considered to be a concentration of advertising scammers, there are no fewer of them in the West, since Android users are all over the world.
Experts have found that HummingBad is associated with the Yingmob group, which is an expert in hacking and malware development. The group is also responsible for creating programs that can hack most mobile devices with weak security systems.
They worked with a professional analytics company that was able to analyze the collected data and establish user behavior patterns based on it. The HummingBad malware was installed on mobile devices running the Android OS and took complete control of it for the benefit of the fraudulent group.
As a result, they had more than 10 million devices under their control. The attackers earned at least $300,000 per month.
The apps distorted the traffic volume using pop-ups, and also sent SMS messages and performed other fraudulent operations using hidden applications installed on the user's device when he viewed ads. Getting rid of hidden programs is not so easy, since they are in the phone's registry, but are not in the visible list. Only specialists can find and remove them.
It is possible that the threat could have been detected earlier, but the malware was present in so many applications that it was actually quite difficult to isolate them. In the end, Google managed to get rid of most of the products infected with the Chamois virus.
The virus worked like this: the user thought that he had some problems with the software on the device. He was constantly redirected to various resources, and a window popped up on the screen with a notification that Flash player needed to be updated.
Under the guise of an affiliate program and complex infrastructure, for some time it was one of the most complex and productive networks for click fraud.
Experts found that advertisers were losing about $6 million a month from the Chameleon botnet. The botnet was able to generate billions of pseudo-page views and ads on 200 sites managed by a group of webmasters. It imitated the behavior of real users, including clicks, and brought in multi-million dollar income to its creators.
Reference:Chameleon was the first botnet designed to attack digital advertising. Over 120,000 infected devices participated in the attack on websites and generated billions of fake ad views. Advertisers paid about $0.69 per thousand views.
With the help of this malware, the scammers earned from 3 to 5 million dollars a day, attacking the online advertising market. They were able to reach such revenue levels thanks to careful planning and strategy. Their botnet infrastructure included 571,904 IP addresses. They created 6 thousand domains and 250 thousand separate pages, which hosted exclusively video advertising. The domain names were as similar as possible to the sites of the largest publishers.
Thanks to this trick, the attackers deceived inattentive advertisers and placed the most expensive ads on their resources. Bots "viewed" from 200 to 300 million advertising videos daily, where the average cost per 1000 views was about $13.
But that's not all. They faked traffic using a large bot farm and made money by clicking on PPC ads. At its peak, Methbot was bringing in around $5 million a day for the scammers, according to experts.
How much damage did this botnet cause to the online advertising industry? Some sources claim that advertisers lost over $180 million.
In 2019, BuzzFeed reported that Android apps using the MoPub ad platform were caught up in a click fraud scheme in which malware placed its own ads under real video ads and generated revenue for the fraudsters.
Both consumers and developers fell victim to this scheme. Developers couldn't figure out why their apps were draining their battery so quickly. But Protected Media, a company that deals with click fraud issues like White Ops, came to the rescue.
Fraudsters bought cheap inventory to display ads in the app and secretly showed video ads on top of which there was real ones. Customers did not see these videos, as they played in the background, thereby generating income for the fraudsters.
Today we will provide examples of real cases of click fraud and other click fraud that have caused millions and billions of dollars in damage to advertisers around the world.
Contents
1. Example 1. Coinminer and Malvertising
2. Example 2: Thai WeChat Click Farm
3. Example 3. We Purchase Apps* and imitation
4. Example 4. HummingBad and surveillance
5. Example 5. Chamois and hidden applications
6. Example 6. Zirconium and redirects
7. Example 7. Chameleon and pseudo-views of advertising
8. Example 8. Methbot and website spoofing
9. Example 9. Video ad that drained smartphone battery
10. Botfaqtor solution and protection against click fraud
Example 1. Coinminer and Malvertising
Malvertising is the use of online advertising to distribute malicious programs and introduce them onto a user's device - PC, tablets, SmartTV, smartphones, and browsers.The creators of the Coinminer virus used it to mine bitcoins, illegally exploiting the computers of victims who accidentally downloaded it to their devices, for example, along with a malicious attachment in an email.
Reference: The Coinminer virus belongs to the Trojan family. Activity - since 2011. It hijacks users' web browsers, replaces the display of information, steals personal data, logins, passwords.
Signs of the presence of the Coinminer virus on the device:
- A large number of malicious pop-up windows appear in the browser. Pages that open automatically in the browser redirect the user to fraudulent resources.
- The device starts to work slower, programs open with a delay, and “drop out”.
- The processor is consuming more system resources of the computer.
- Windows on the PC open on their own and chaotically.
- Pages in the browser redirect the user to fraudulent sites.
In fact, it is a whole family of viruses used for various fraudulent operations.
In December 2017, cybersecurity experts discovered that attackers were distributing Coinminer via a Google Chrome browser extension and Facebook messages (owned by Meta, an organization banned in Russia). Experts identified at least two variants of the malware distributed via social network messages. Malware archives were uploaded to Facebook servers before the stage of sending links in a conversation, so when a user received a message, the download link actually came from the social network.
The attackers sent messages via a malicious Chrome extension that was first installed in the user's browser and then used the Facebook Messages API. The malware extracted the user's friends list and sent dangerous messages.
By the time all leading antivirus programs quickly added detection to their algorithms, Coinminer was already distributed on many user devices and was bringing in significant income to advertising scammers generating bitcoins.
Example 2: Thai WeChat Click Farm
We have previously covered click farms in detail and the damage they can cause to advertisers. At best, they will hinder the promotion of a product; at worst, they will damage the advertising budget. The scale of click farms can be devastating to a business.Reference: Click farms look like this: dozens of smartphones, usually old models and OS versions, installed on racks in several rows (like in a mobile phone store) and managed by just a couple of people. While these people work almost around the clock to earn at least some means of subsistence, the fraudsters - the owners of click farms - receive colossal incomes.
In 2017, a click farm was discovered during a police raid in Thailand, on the border with Cambodia. The police found out that the farm contained 300 thousand SIM cards, 400 of which were installed in iPhone smartphones.
The police photos make it clear that the comfort of the people working there was not a consideration, and they are a perfect illustration of how click fraud is a huge problem for both advertisers and consumers.
The purpose of this click farm was to promote products on the Chinese market sold through WeChat. The performers controlled the actions of a large number of bots according to a specific algorithm on the platform.
Help: WeChat is not just an exchange of text and voice messages, but also an entire social platform that is a messenger, a browser, an OS for mobile phones, and a social network.
Example 3. We Purchase Apps* and imitation
*We buy appsIn 2017, founders of startups that create mobile apps for Android and have a large user base received emails from representatives of a company called We Purchase Apps. They were offered a meeting about purchasing “potentially profitable apps.”
Upon closer inspection, it turned out that this was a scam. The letter from this company listed a UK phone number, although the office was registered in New York, which turned out to be someone's private home. When searching for any information about the company on Google, the results were modest, if any. This was the alarm bell for most honest developers.
Doubts also arose among developers of simple applications, such as mobile games or selfies, who nevertheless agreed to the deal. For a tidy check, they allowed the new owners to do whatever they wanted.
Well, then the scammers associated with We Purchase Apps monitored the behavior of users of purchased apps in order to program bots to imitate the actions of real people. This was done with one goal - for click fraud and deception of advertisers.
If it weren't for Buzzfeed News, which exposed this criminal scheme, the scammers would have continued their activities. And the large platforms where all this happened would have stayed on the sidelines and would have done nothing if it hadn't been for the publicity, experts believe.
Example 4. HummingBad and surveillance
Reference:HummingBad (from the word hummingbird) is malware developed for Android. It installed 50 thousand malicious applications per day, displayed 20 million malicious ads and brought in more than 300 thousand dollars per month.Although Asia is considered to be a concentration of advertising scammers, there are no fewer of them in the West, since Android users are all over the world.
Experts have found that HummingBad is associated with the Yingmob group, which is an expert in hacking and malware development. The group is also responsible for creating programs that can hack most mobile devices with weak security systems.
They worked with a professional analytics company that was able to analyze the collected data and establish user behavior patterns based on it. The HummingBad malware was installed on mobile devices running the Android OS and took complete control of it for the benefit of the fraudulent group.
As a result, they had more than 10 million devices under their control. The attackers earned at least $300,000 per month.
Example 5. Chamois and hidden applications
Chamois is a type of mountain goat with unbranched horns, it loves steep cliffs, near which forests grow. It is known for its endurance and adaptability. It is thanks to this characteristic that a family of malware embedded in thousands of mobile applications was named. Some of them were even found in the Google Play Store. In fact, Google gave this virus this name.The apps distorted the traffic volume using pop-ups, and also sent SMS messages and performed other fraudulent operations using hidden applications installed on the user's device when he viewed ads. Getting rid of hidden programs is not so easy, since they are in the phone's registry, but are not in the visible list. Only specialists can find and remove them.
It is possible that the threat could have been detected earlier, but the malware was present in so many applications that it was actually quite difficult to isolate them. In the end, Google managed to get rid of most of the products infected with the Chamois virus.
Example 6. Zirconium and redirects
In 2017, Zirconium was the cause of the largest outbreak of false advertising. The malware worked through a complex system of false redirects. The creators of the malware provided advertising space on the sites of dubious and dangerous resources under the guise of affiliate marketing.The virus worked like this: the user thought that he had some problems with the software on the device. He was constantly redirected to various resources, and a window popped up on the screen with a notification that Flash player needed to be updated.
Under the guise of an affiliate program and complex infrastructure, for some time it was one of the most complex and productive networks for click fraud.
Example 7. Chameleon and pseudo-views of ads
And this botnet caused a lot of trouble for webmasters and advertisers in 2015. It could make billions of fake page views and ads.Experts found that advertisers were losing about $6 million a month from the Chameleon botnet. The botnet was able to generate billions of pseudo-page views and ads on 200 sites managed by a group of webmasters. It imitated the behavior of real users, including clicks, and brought in multi-million dollar income to its creators.
Reference:Chameleon was the first botnet designed to attack digital advertising. Over 120,000 infected devices participated in the attack on websites and generated billions of fake ad views. Advertisers paid about $0.69 per thousand views.
Example 8. Methbot and website spoofing
In 2016, cybersecurity company White Ops discovered one of the largest botnets, Methbot, which targeted digital advertising in Europe and North America and was controlled by attackers from Russia.With the help of this malware, the scammers earned from 3 to 5 million dollars a day, attacking the online advertising market. They were able to reach such revenue levels thanks to careful planning and strategy. Their botnet infrastructure included 571,904 IP addresses. They created 6 thousand domains and 250 thousand separate pages, which hosted exclusively video advertising. The domain names were as similar as possible to the sites of the largest publishers.
Thanks to this trick, the attackers deceived inattentive advertisers and placed the most expensive ads on their resources. Bots "viewed" from 200 to 300 million advertising videos daily, where the average cost per 1000 views was about $13.
But that's not all. They faked traffic using a large bot farm and made money by clicking on PPC ads. At its peak, Methbot was bringing in around $5 million a day for the scammers, according to experts.
How much damage did this botnet cause to the online advertising industry? Some sources claim that advertisers lost over $180 million.
Example 9. Video ads that drained smartphone battery
What is a malicious banner ad? It is when hidden video ads generate fraudulent revenue while draining the battery level of the user's device.In 2019, BuzzFeed reported that Android apps using the MoPub ad platform were caught up in a click fraud scheme in which malware placed its own ads under real video ads and generated revenue for the fraudsters.
Both consumers and developers fell victim to this scheme. Developers couldn't figure out why their apps were draining their battery so quickly. But Protected Media, a company that deals with click fraud issues like White Ops, came to the rescue.
Fraudsters bought cheap inventory to display ads in the app and secretly showed video ads on top of which there was real ones. Customers did not see these videos, as they played in the background, thereby generating income for the fraudsters.
