Popup enlarges at the last second so users click on ads instead of 'Close' button
techrepublic cheat sheet
If there's one thing that cyber-criminals are good at, it's at coming up with new ideas to generate profits in the shadiest and sometimes the most original ways.
Among all criminal groups, the most creative bunch are the ones involved with the re-distribution of traffic from hacked sites. Because of the quick pace at which browser vendors tend to patch reported problems, these groups need to come up with new tricks more often than their colleagues involved with desktop or mobile malware.
Over the past few months, security researchers at Malwarebytes, who study the evolution of traffic re-distribution groups and their respective campaigns, have observed a new method that crooks are using to generate profits.
The idea behind this new method is to send unsuspecting users on malicious websites that show an ad inside a popup. Like most popups, a "close" button will be displayed in the popup's top-right corner.
However, when the user moves his mouse to close the popup, CSS code from that page will expand the popup and move the ad in the cursor's path, so any click on the close button will actually land on the ad instead.
Malwarebytes' Jérôme Segura explains:
The crooks use CSS code dynamically appended to the page that monitors the mouse cursor and reacts when it comes over the X. The timing is important to capture the click a few milliseconds later when the ad banner comes in focus. These client-side tricks are implemented to maximize ad profits, since revenue generated from ad clicks is much higher.
An animated GIF of this old switcheroo trick is embedded below.
Malwarebytes has discovered a malvertising campaign that redirects users to websites where boobytrapped popups automatically adjust an ad's position when users try to press the "close" button, so the user inadvertently clicks on the ad instead.https://t.co/gMqDig6F9Z pic.twitter.com/WVauzLdFjN
— Catalin Cimpanu (@campuscodi) March 31, 2019
In a report published this week, Segura said this trick was being abused by a group who has been recently involved in exploiting a WordPress plugin zero-day to take over sites.
The group planted code on these hacked sites to hijack small amounts of traffic that they'd later redirect towards various types of sites --such as tech support scams, sites performing ad fraud, or online stores hosting credit card-stealing code.
This trick of moving the ad in the place of a popup's close button is just the latest in a long line of sneaky gimmicks.
In the past, crooks would trigger thousands of downloads until they froze users' browsers on tech support scams, making them believe their computer had serious problems; they'd create JavaScript infinite loops to keep the CPU at 100 percent and slow down the user's computer; or they'd use custom cursors to offset the mouse click area and prevent users from closing tabs [this has been recently fixed].
Since this latest trick of quickly transposing an ad's position uses CSS code, it can't be blocked by a classic ad blocker. However, using an ad blocker would prevent the ad getting loaded inside the popup in the first place, and would make this trick useless.
All the Chromium-based browsers
More browser coverage:
- Chrome and Firefox are borrowing from each other's performance features
- Microsoft releases Application Guard extension for Chrome and Firefox
- First image surfaces of Google Chrome's upcoming Tab Groups feature
- Google Chrome to block automatic downloads initiated from ad slot iframes
- Google announces Chrome Lite Pages, a way to speed up HTTPS sites
- Google fixes Chrome 'evil cursor' bug abused by tech support scam sites
- What enterprises need to know about the new Chromium-based Edge TechRepublic
- Google's most secure login system now works on Firefox and Edge, too CNET