Kaspersky Lab’s researchers have discovered a new botnet that cashes-in on aggressive advertising, mostly in Germany and the US. Criminals infect their victims’ computers with the Magala Trojan Clicker, generating fake ad views, and making up to 350$ from each machine. Small enterprises lose out most because they end up doing business with unscrupulous advertisers, without even knowing it.
Contextual online advertising is a lifesaver for small enterprises that are usually unable to promote their products and services and increase potential customer awareness in other ways. The most common way to build a channel of supply and communication for these organizations is to purchase ads from legal advertising companies. However, if the latter are unscrupulous, small companies will flush money down the drain, and customers simply will not see the ad. This is exactly what happens with the Magala botnet.
Its authors compromise computers with malware, which then generates fake views and clicks for ads, thus switching machines into zombie mode and making a profit for the malware’s authors. Once propagated, Magala imitates a user click on a particular webpage, boosting ad click counts. The main victims are those paying for the ad; typically, they are small enterprise owners dealing with fraudulent advertisers.
The Magala infection vector is quite simple – it propagates computers via compromised websites and discreetly installs its required adware. Magala then contacts the remote server and requests a list of search queries for click counts that need to be boosted. Using this list, the program begins to send search queries and click on each of the first 10 links in the search results, with an interval of 10 seconds between each click.
List of search queries
According to Kaspersky Lab’s researchers, an average cost per click (CPC) in a campaign like this is 0.07 USD. The cost per thousand (CPM) comes to 2.2 USD. Ideally, a botnet consisting of 1000 infected computers clicking 10 website addresses from each search result, and performing 500 search requests with no overlaps in the search results, could ideally mean the virus writer earns up to 350 USD from each infected computer.
“Although this type of advertising fraud has long been known, the emergence of new botnets focusing on that area indicates that there is still a demand on half-legitimate promotion. Trying to cut their costs, small businesses go for that option, but spoil their ad efforts as a result. The success of Magala is yet another wake-up call for users to make the most of solid security solutions and keep all their software updated – in order to not fall victim to cybercriminals,” concludes Sergey Yunakovsky, security expert at Kaspersky Lab.
To learn more about Magala Trojan Clicker, please read the blog post, available on Securelist.com.
To reduce the risk of infection, users are advised to:
- Use robust security solutions and make sure they keep all software up to date.
- Regularly run a system scan to check for possible infections.
- Stay wise when purchasing ads. It is better to choose trusted partners than try to cut the costs and rely on unverified counterparties.