14 DAY TRIAL // Anti-fraud firm eZanga says it detected a malicious campaign that's stealing paid and organic traffic from legitimate businesses and redirecting it to all kinds of nefarious-looking websites.
According to the company's experts, this happens after crooks hack into websites, usually running CMSs like Joomla and WordPress, and alter their source code.
The old jQuery switcheroo
Hackers are looking for sites where the jQuery JavaScript library is loaded, and replace the standard jQuery.min.js file with jQuery.min.php.
This malicious PHP file watches the site's incoming traffic and randomly selects a victim whom it redirects to another website under the attacker's control, where ads are usually displayed to users.
By engaging in such behavior, crooks are stealing a site's legitimate traffic, either coming via search engines or paid advertising campaigns.
Replacing jQuery.min.js with jQuery.min.php is an old trick. In the past, crooks used it to inject websites with hidden links in order to boost the SEO rankings of their own domains.
MosQUito attack causes ad fraud
Webmasters of these hacked websites slowly lose users and their sites' reputation. Ad networks that show advertisements on these websites lose money.
This happens because the jQuery.min.php script enables the hacked website to load, waits for a few seconds, and then redirects the user to another site.
Because of this small delay, the ads load on the hacked websites, but users never get a chance to click them, being spirited away to another URL.
Ad networks lose money because, for some of their ads, webmasters get paid by impression. Additionally, webmasters also lose money in pay-per-click campaigns because users don't get to click on their ads before being redirected.
"Advertiser’s who dedicate budget to converting sources are the most affected. They simply see a converting user coming from certain source, thereby dedicating additional budget towards that source. If advertisers have optimized campaigns around traffic from these converting sources, it’s entirely possible you’ve whitelisted performing, infected websites, thereby perpetuating the problem off of these stolen visitors," an eZinga spokesperson told Softpedia via email.
eZanga has published a list of 9,285 websites affected by this attack, which they nicknamed MosQUito.
