Adult content malvertising scheme leads to clickjacking

Malwarebytes’ researchers have found a malvertising scheme that leads to clickjacking.

Clickjacking is a form of ad fraud which is also referred to as click fraud or click spam. It is a practice performed by certain dubious advertising networks, where they sometimes use automated programs—from simple to sophisticated bots and botnets—to interact with advertisements online. But it can also be done by tricking legitimate users into clicking ads, visiting pages, and (in some cases) creating fake form submissions.

Ad fraud means that the advertiser pays the referrer or the advertising network to show their ads to interested visitors. In reality, the criminal doesn’t care who actually clicks or whether they are interested, as long as the money keeps coming their way.

The campaign

To start things up, visitors are lured to several fake blogs about topics they might find interesting.

the actual blogThis is how the actual blog looks

The original blog however is hidden by an overlay showing blurred explicit content and a button asking the visitor to confirm they are 18+ and asking if they want to enter the website. We have seen a few different overlays on the same website, so there could some fingerprinting involved. Below are a few examples:

example of overlay 1

overlay button version 2

Whichever one the visitor sees, clicking the button does nothing other than registering a click on an advertisement. However, that does help the cybercriminals set up this clickjacking scheme. 

advertisement targeting Dutch audience

Above is an example of an advertisement shown to a Dutch IP and, below, a screenshot of the Google ad that was presented to a Canadian IP address.

full link to the advertisement shown to a Canadian visitor

This is the link behind the version you can see here:

overlay version 3Dragging the button allows the visitor to see where the click will take them

The code behind these attacks is obfuscated.

obfuscated javascript

In this case there is no imminent danger for the website visitor. It is just wasted money for the advertiser. So, if you run into one of these, don’t make them any richer by clicking that 18+ button.

If you are spending money on advertising it is worth looking at what you get for the money your are spending. According to research carried out by BusinessOfApps the total cost of ad fraud in 2022 was around $81 billion, and is predicted to increase to $100 billion by 2023.

If the spending and return on investment are non-transparent, advertisers can also look at solutions that can significantly reduce their advertising costs. You can try some for free for up to 5,000 paid clicks per month on the Google Ads platform.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.