Ever wonder what malware actually looks like as it runs undetected on users’ machines? The fraud detection service, Forensig, isolated a malicious bot and then infected a virtual computer to see how much digital ad fraud really occurs when a computer is infected — and recorded it happening in a new video (below).
A machine infected with malware can load invisible pages in the machine’s background to generate thousands of fake ad impressions and cost advertisers millions for impressions that are never seen by users or detected as fraudulent by ad networks.
For example, the botnet Chameleon, discovered last year, infected over 120,000 computers, generated 9 billion ad impressions across at least 202 web sites and cost advertisers an estimated $6.2 million a month.
The screenshot from the video above shows the bot on a page loaded with hundred of ads, never visible to users. Ads for leading brands such as Rite Aid, Toyota, General Motors and Proctor & Gamble are seen appearing on pages in the video.
Placing JavaScript code next to the ad unit allowed the team to record how the ad is loaded, and the application allowed Forensiq to bring the processes that typically run in the background with a headless browser –which can access pages on the web, but has no visible user interface –to the foreground.
In 24 hours, the bot had generated over 10,000 impressions from both video and display ads from the single computer. Taking the Chameleon botnet as an example, if this bot were distributed across 120,000 machines, that quickly adds up to more than 1.2 billion fraudulent ad impressions a day.
This particular malware was designed to reset itself every five minutes to simulate a new user. It also turned off and on at random times to appear more human-like. While some malware can block detection tools and hide their tracks, this malware didn’t have that capability, but it could suppress warning messages from websites allowing it to remain running in the background.
Asked about whether ad networks would still register these ads as meeting the IBA/MRC’s definition of viewable ad impressions, Forensiq’s data science team said that in many cases advertisers buying viewable impressions would still be charged because the botnet simulates a full-screen browser window. In addition, the team responded:
“Technology that relies solely on the geometric coordinates of the viewport may simply report these ads as in-view because the botnet simulates a maximized browser window. The botnet also has the capability of simulating user mouse trails to further increase the chances the impressions are marked as ‘human’ by fraud detection services that rely on this verification.”
Check out the video below:
Comments