Look out for the MosQUito — a new kind of ad fraud that drains human traffic from infected websites
Marketing/anti-fraud agency eZanga says it could affect thousands, possibly millions, of WordPress and Joomla-based websites.
A Middletown, Delaware-based online marketing agency is today announcing it has discovered a new kind of ad fraud that is infecting thousands and possibly affecting millions of websites — and it’s not being caught because it uses real human visitors.
The infected script, dubbed MosQUito, since it quietly sucks “traffic away from the infected website and [takes] it elsewhere,” is present in at least 9,285 sites, and maybe many more, according to Richard Kahn, CEO and co-founder of eZanga.
Kahn told me that his company employs a custom-built platform to detect click and other fraud, since it also runs its own ad network for its marketing clients.
Recently, he said, one of eZanga’s engineers was conducting a routine check when he went to a site — which Kahn didn’t want to name at the moment — and it loaded slowly. But as soon as it loaded, the engineer found himself looking at another site, even though he hadn’t done anything.
What the engineer discovered, Kahn said, is that someone had hacked the content management system of the first site with a subtle code change. When a visitor comes to the site, the code randomly chooses some visitors and redirects them to another site.
In fact, although the visitor or the site doesn’t see it, the redirect is actually acting as if there’s been a click on a pay-per-click ad for that destination site. The advertiser for that ad is charged for that click, apparently paying the hacker as if the hacker were the publisher of an invisible web page hosting that invisible ad.
Kahn said there’s no evidence that either the hacked site or the destination site is part of the fraud. The destination site’s anti-fraud protection sees only a real visitor, with a real IP address, a real browser and real user behavior, because there is a real human visitor. But the human didn’t intend to go there. Here’s a diagram from eZanga:
Kahn pointed to Sudoku.com, which he said has been hacked and is randomly sending visitors to other sites. A visitor, he said, could enter the Sudoku.com address, and, a few seconds after Sudoku loads, find herself looking at another site that we might call ABC.com.
Invisibly, which Kahn said an eZanga spider can detect, the hacked script on Sudoku has acted as if the visitor “clicked” on an unseen PPC ad bought by ABC.com to drive traffic to itself, as if that ad were sitting on an unseen web page at a third site. The visitor sees no other web page, and no visible ad, yet the ABC.com publisher pays for that ad click bringing traffic to his site. A real human shows up at ABC.com, which thinks it has gotten more traffic because of its ad, but the human has no interest in going there.
Kahn said his company is currently running other tests to discover the ad networks besides his own that are involved. So far, he told me, they have found out that nearly 10,000 websites using WordPress or Joomla content management systems are infected. The destination sites — which are running ads to bring traffic to their sites — “could run into the millions,” he speculated.
eZanga says the MosQUito code substitutes a jQuery.min.php reference for a jQuery.min.js one. Kahn pointed out that the actual infected script can be hosted on the originally infected site, or it can be hosted elsewhere and called.
In the case of Sudoku.com, he said, the actual infection is hosted elsewhere: on the website of the unsuspecting Florida Baptist Chaplains Network.
Kahn noted that the advertiser paying for the ad click is not the only one getting a worthless ad. It’s also the advertiser who might be getting charged for ad impressions on the page of the original site — because the ad is only shown for a second or two.
On Sudoku.com, he captured a screen shot of one of those display advertisers: us. Here’s a display ad for Third Door Media’s upcoming SocialPro conference on a Sudoku.com page: