CyberWire Daily - Popunders are not the good kind of ads. [Research Saturday]
Episode Date: March 25, 2023On this episode, Jérôme Segura, senior threat researcher at Malwarebytes, shares his team's work, "WordPress sites backdoored with ad fraud plugin." WordPress is an immensely popular content managem...ent system (CMS) powering over 43% of all websites. Many webmasters will monetize their sites by running ads and need to draw particular attention to search engine optimization (SEO) techniques to maximize their revenues. The Malwarebytes team discovered a few dozen WordPress blogs using the same plugin that mimics human activity by automatically scrolling a page and following links within it, all the while a number of ads were being loaded and refreshed. The blogs would only exhibit this invalid traffic behavior when launched from a specific URL created by this plugin, otherwise they appeared completely legitimate. The research can be found here: WordPress sites backdoored with ad fraud plugin Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Yeah, so I've been looking at something called pop-unders, which is, you know, you're browsing
the web and you click on a page and there is a window or a tab that opens in the background.
So that's called Popunder.
That's Jerome Segura, senior threat researcher at Malwarebytes.
Today, we're discussing his research, WordPress sites backdoored with ad fraud plugin.
And it's a form of advertising, definitely not the better kind.
I was looking specifically for pop-unders because, you know,
you can find all sorts of interesting things in terms of malware campaigns.
Most of the time, what I find is called malvertising.
So malicious ads that push something like a fake browser update or a fake Microsoft page.
There's all sorts of different kind of payloads that it can put.
But I've also come across a few ad fraud schemes recently.
And I was kind of hunting within the pop-under traffic to see,
okay, what am I going to find playing with the different geolocation?
So if you come from the US, you're going to get different kind of traffic
than if you come from Europe, for example, Different user agents, so using Chrome, Firefox,
and just seeing what kind of
traffic I'm getting.
This one was interesting because the Popunder
loaded a website that appeared to be a WordPress site.
I could have easily closed it or think,
okay, this is nothing interesting here.
But what I noticed is a few seconds after the site had been loaded,
the page started to scroll down.
And I was like, okay, that's interesting.
I'm not actually doing anything.
The page is scrolling down.
It's a little unsettling.
And that's kind of where I thought, okay, there's something here that's going on.
This is not just a legitimate
website. There's malicious code behind somehow.
And then I started digging more into it.
Before we dig into this particular instance, I have to ask,
how do you go about hunting for pop hunters?
I have to ask, how do you go about hunting for pop hunters?
Yeah, that's a good question.
So, you know, within the ad ecosystem, there are different players.
And those players, you know, you can, there's kind of top players that are, I would say, you know, the ones that are pretty much, you know much very legitimate. And then there's the middle players and then there's the bottom players,
which you know you're going to find a lot of shady traffic if you go through those.
So then it's just a matter of finding
particular websites that you know
are going to trigger this kind of traffic.
So pop-unders or pop-ups.
And if you want to take a shortcut,
there's basically a few types of websites
that do that. Anything that's pushing
streaming content or
free downloads are notorious for pushing a lot of ads
as well as adult websites.
So if you visit some of those websites
with minimum security in terms of, you know, having no
pop-up blocker or ad blocker or any security product on your machine, chances are, you know,
something bad is going to happen. Your machine is going to get infected or you're going to get,
you know, all sorts of scams popping up. And that's just, you know, kind of part of my job.
I don't do that all the time because it's pretty consuming. But, you know, kind of part of my job. I don't do that all the time
because it's pretty consuming. But, you know, every now and again, I know where to look and
I'll spend, you know, maybe an hour hunting and see if anything comes up. And usually,
you know, I can find something interesting. Yeah. I'm curious, I mean, do most modern web
browsers protect their users against this sort of thing? I don't recall seeing very much of it lately.
Yeah, I mean, so pop-ups in particular, typically they are blocked by most modern browsers.
So if you're using Chrome, I think it's even enabled by default that a pop-up will be blocked
and you see even a notification at the top of your browser.
that a pop-up will be blocked and you see even a notification at the top of your browser.
Obviously, there's a lot of money to be made,
so there's incentives to write code that will defeat that kind of technology.
So the pop-under that I saw, the code for it is pretty long, just to trigger based on the click and then open the window.
And it wasn't blocked by Google Chrome.
And I tried in other browsers as well.
I didn't spend too much time trying to identify what it's doing, but it was a bunch of JavaScript
code that would trigger based on the click.
And yeah, so it's still a problem.
I hear people all the time saying,
I don't see any of that,
and a lot of them are using some kind of ad blockers.
So that would take care of a lot of the problem.
But there are some sites that know you're using an ad blocker
and very specific code that can bypass it as well.
I see.
Well, this particular research that you are describing here
sort of intersected with WordPress sites.
What specifically about WordPress made it a viable target
for these folks who are trying to make these ad pop-ups work?
Yeah, so WordPress is known for blogs,
although as a platform, it's not just for blogs.
It can do full sites as well,
but it's typically to publish content.
And in the context of advertising,
content is really important for things like SEO ranking.
So it's not unusual to see platforms like WordPress
with blogs that are being used to defraud advertisers.
Typically, the content is stolen.
So a threat actor will copy and paste articles
and then create a blog and just have all those articles.
In this particular case, what drew my attention was, you know, I found one website and I noticed
that if I visited the same website with its, you know, actual domain name, it wasn't doing
any kind of weird behavior.
It was only if I entered the website
through that specific link.
And when I looked closer,
that link, the full URL, was part of a plugin.
And I did a bit of research on the plugin.
It was called Fusermaster.
And couldn't find much information about it
other than one website that was showing, that's kind of scraping the web and showing, okay, this plugin is used on a few dozen websites that are WordPress out there.
They all have this plugin.
Okay.
But you couldn't download the plugin.
There was no author.
It was just a plugin.
So I kind of thought, okay, somebody wrote that plugin specifically for ad fraud.
And then it was a matter of, why is this plugin on all these websites?
What do they have in common?
And what do they have in common?
So what I found is, I went back to the Popunder and I tried to replicate clicking on it.
So I erased my browser cache and then I revisited the same site, clicked, triggered the Popunder.
And then I got another blog that was doing the exact same behavior.
I was like, okay, there's more than one.
So then I realized, okay, all these blogs, what they have in common is they all use this Fuser Master plugin.
And then it took a bit more research to kind of dig into, okay, who may have created those blogs?
Or have these blogs been hacked and injected with that plugin?
I wasn't sure.
But looking at the previous versions of some of the blogs using the Internet Archive, I saw some things that pointed to a web developer in India and found his site.
And then what was funny is his portfolio on his website actually included several of these WordPress blogs that were performing the ad fraud.
So then it was, okay, I can't really prove he's the one that created the plugin,
but it's kind of a weird coincidence that all of his sites end up in his portfolio.
And actually, in his portfolio, if you browse on the thumbnail for each of his sites,
there's the same kind of up and down scrolling that I was noticing
in the ad fraud. So I was like, okay, that's a lot of signs that point in that direction.
And now a message from our sponsor Zscaler, a leader in cloud security.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI
stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral
movement, connecting users only to specific apps, not the entire network.
Continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
What do you suppose is going on here? I mean, is this a developer who is making legitimate sites for folks,
but then adding this onto it for his own benefit?
Or are the sites themselves just placeholders to be able to activate this ad fraud?
Well, I mean, definitely, you know, that individual is a web developer.
He builds websites. There's no question about it.
He's actually active in the WordPress community as well,
asking questions in forums about different plugins and such.
So he could have made some of the sites, you know, to do ad fraud.
He could have built those sites, added the content,
and then essentially bought traffic from pop-unders
and then redirected traffic to some of those websites
and earned income.
Or those sites could have been websites
that he built for customers
and then without telling the customer,
included the plugin that he still controlled,
and then was able to monetize from it.
I tried to verify some of these theories.
Nothing was really strong enough to indicate any of them
were valid. I did contact one of the
website owners,
which was not this developer as far as I know,
contacted by email, did not receive a reply,
but within the next hour,
the plugin had been removed from their website.
Oh, interesting.
Interesting.
That is interesting.
Tell me about the JavaScript code that is doing the scrolling and that sort of surreptitious activity, because there's some interesting things with that, right?
Yeah, so one of the things you notice is once the blog is loaded, again, through that special URL, you'll notice that there's scrolling up and down.
special URL, you'll notice that there's scrolling up and down.
And that's just JavaScript, essentially, that uses some functions to control the scrolling.
It's pretty much random.
And it just happens within different intervals.
I'd say probably for about a minute, a minute and a half on the current page, there is that scrolling.
And you've got to remember that this is a popender.
That means the user is still on their other tab or window is not seeing that blog at all.
That tab could remain active for, you know, minutes or even longer until the, you know,
the user actually closes all of his browser's window.
So the code does that.
And then after about a minute and a half,
during that time, it collects a bunch of links that are on that website,
making sure to ignore external links.
So it only collects internal links to that blog
and then visits one of them randomly.
So in essence, what it's doing, it's really mimicking user activity.
It's reading the current article, browsing up and down,
and then after a minute, a minute and a half,
will click on the next article and continue the same process.
And it does that basically forever until it's being interrupted.
And there are some conditions where it can get interrupted,
which ironically is when there's real human activity.
So there is a bit of JavaScript that will check
if the user's mouse is on the actual page
and has moved or clicked.
And if it has, then all of a sudden it just stops.
And the blog, the page becomes static.
There's no more scrolling, no more redirecting to different links.
That's it.
So it's like, you know, it doesn't want to show that behavior because the user all of
a sudden has put that tab in focus
and time's up. No more ad fraud.
Right. Well, why the scrolling? What does that accomplish for them?
So I think the scrolling, ad fraud is not my specialty, but from what I understand,
it's part of, and there's actually another bit that I forgot to mention,
that's part of the recreating traffic that appears as legitimate as possible
for the ad networks.
So you think about a page that's being loaded,
there is a bunch of data that's being collected.
So whether you're dealing with Google or other ad networks,
they want to find out if the traffic is legitimate.
So having this kind of user activity on top of other elements,
such as is this a real IP address?
You know, for example, is the user, you know,
having a residential IP instead of using a VPN, things like that.
It's all trying to determine whether this is a legitimate session or not.
And if it's not, you have the ad networks
and the companies that work in the ad fraud space,
which also load their JavaScript within pages,
that will stop rendering ads
so that advertisers are not losing money for nothing.
But one thing that I did forget to mention is
in order to make these websites appear legitimate,
you wouldn't want to show the
entry point being the pop-under from
some shady website. Google would check the reference
and say, hmm, this came from this website.
Yeah, this is low-quality traffic.
We're not going to allow ads on that page.
So what it's doing is, again, using the Fuser Master plugin,
once it loads the entry point,
it's like you get in the site and then you get back out.
And you come back in using an open redirect.
An open redirect is essentially a redirection in your browser that can happen from a search engine. So let's say, you know, you search for
a keyword on Google, you click on the link that's going to redirect you. You can do the same thing.
You can simulate all of that with a single URL, which is called an open redirect,
as long as you provide certain parameters.
So that's exactly what they're doing here.
You enter the blog, then you leave the blog briefly,
and then you reenter,
and the open redirect URL has certain keywords.
So based on the blog, some of them were for moms,
you have keywords like mom, baby, and stuff like that. When the blog, it can be, some of them were for moms, you know, have keywords like
mom, baby and stuff like that. When the ads are going to be loaded, what you get is, okay,
is traffic, first of all, from a legitimate user IP and what appears to be from a Google query.
So, you know, organic search SEO, and then clicking on the link, which is not the case at all.
search as CEO and then clicking on the link, which is not the case at all.
Yeah, that is interesting.
So how contained is this?
Is this something that folks who are running WordPress sites need to be concerned about?
Or do we feel as though the folks who may be running this have kept it kind of to themselves?
Yeah, I don't think, you know, it could be an interesting, I think that's where I was trying to figure out,
okay, this is not very widespread.
I think I found about only 50 websites.
So if it was a true attack against WordPress sites,
you would see, you know, hundreds or thousands.
It could be used as an attack.
I mean, we see things all the time where, you time where threat actors will put 3DRX in WordPress blogs or anything like that.
So it could potentially be used that way.
You'd have to inject that plugin with admin rights, and then you would basically use all those sites for advertising purposes.
I don't believe this is the case.
those sites for advertising purposes.
I don't believe this is the case.
I believe it's just a fairly small operation.
But, you know, somebody like, I'm sure there's a lot of people out there that are, you know, trying to figure out how can I make money from ads and, you know, what kind of shortcuts
can I take?
So, you know, in this case, they're like, okay, well, you know, we can purchase
Pop Under Traffic, which is quite cheap. And then we'll just monetize it with some content that,
you know, loads and loads of content and then make it appear that people are actually visiting
those websites. And I think the top one that I found had about three or four million visits a month, which is, you know, it's not huge, but it's fairly decent.
And I think the average time on the site was like seven, 17 minutes or, you know, it was long enough and lots of pages visited.
So if you think about it, all these ads being loaded for that amount of time with three or four million visitors a month, that's a nice living where you don't have to do anything.
So I think, yeah, my blog was really to kind of expose this and show,
you know, that it's one of many ways to defraud advertisers.
And, you know, it's not, it's really not that complicated.
And, you know, it's not, it's really not that complicated.
And pop-unders are really a great format for doing this because, you know, like I said, they're cost efficient.
And, you know, people, you know, unless you close all your windows, that pop-under is going to be in the background.
And, you know, you're going to be, you're going to be participating in ad fraud.
Our thanks to Jerome Segura from Malwarebytes for joining us.
The research is titled WordPress Sites Backdoored with Ad Fraud Plugin.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. Thank you. run smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
The CyberWire Research Saturday podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Elliot Peltzman.
Our executive editor is Peter Kilby, And I'm Dave Bittner.
Thanks for listening.