Look out for the MosQUito — a new kind of ad fraud that drains human traffic from infected websites

Marketing/anti-fraud agency eZanga says it could affect thousands, possibly millions, of WordPress and Joomla-based websites.

Chat with MarTechBot

mosquito

A Middletown, Delaware-based online marketing agency is today announcing it has discovered a new kind of ad fraud that is infecting thousands and possibly affecting millions of websites — and it’s not being caught because it uses real human visitors.

The infected script, dubbed MosQUito, since it quietly sucks “traffic away from the infected website and [takes] it elsewhere,” is present in at least 9,285 sites, and maybe many more, according to Richard Kahn, CEO and co-founder of eZanga.

Kahn told me that his company employs a custom-built platform to detect click and other fraud, since it also runs its own ad network for its marketing clients.

Recently, he said, one of eZanga’s engineers was conducting a routine check when he went to a site — which Kahn didn’t want to name at the moment — and it loaded slowly. But as soon as it loaded, the engineer found himself looking at another site, even though he hadn’t done anything.

What the engineer discovered, Kahn said, is that someone had hacked the content management system of the first site with a subtle code change. When a visitor comes to the site, the code randomly chooses some visitors and redirects them to another site.

In fact, although the visitor or the site doesn’t see it, the redirect is actually acting as if there’s been a click on a pay-per-click ad for that destination site. The advertiser for that ad is charged for that click, apparently paying the hacker as if the hacker were the publisher of an invisible web page hosting that invisible ad.

Kahn said there’s no evidence that either the hacked site or the destination site is part of the fraud. The destination site’s anti-fraud protection sees only a real visitor, with a real IP address, a real browser and real user behavior, because there is a real human visitor. But the human didn’t intend to go there. Here’s a diagram from eZanga:

How MosQUito works

Kahn pointed to Sudoku.com, which he said has been hacked and is randomly sending visitors to other sites. A visitor, he said, could enter the Sudoku.com address, and, a few seconds after Sudoku loads, find herself looking at another site that we might call ABC.com.

Invisibly, which Kahn said an eZanga spider can detect, the hacked script on Sudoku has acted as if the visitor “clicked” on an unseen PPC ad bought by ABC.com to drive traffic to itself, as if that ad were sitting on an unseen web page at a third site. The visitor sees no other web page, and no visible ad, yet the ABC.com publisher pays for that ad click bringing traffic to his site. A real human shows up at ABC.com, which thinks it has gotten more traffic because of its ad, but the human has no interest in going there.

Kahn said his company is currently running other tests to discover the ad networks besides his own that are involved. So far, he told me, they have found out that nearly 10,000 websites using WordPress or Joomla content management systems are infected. The destination sites — which are running ads to bring traffic to their sites — “could run into the millions,” he speculated.

eZanga says the MosQUito code substitutes a jQuery.min.php reference for a jQuery.min.js one. Kahn pointed out that the actual infected script can be hosted on the originally infected site, or it can be hosted elsewhere and called.

In the case of Sudoku.com, he said, the actual infection is hosted elsewhere: on the website of the unsuspecting Florida Baptist Chaplains Network.

Kahn noted that the advertiser paying for the ad click is not the only one getting a worthless ad. It’s also the advertiser who might be getting charged for ad impressions on the page of the original site — because the ad is only shown for a second or two.

On Sudoku.com, he captured a screen shot of one of those display advertisers: us. Here’s a display ad for Third Door Media’s upcoming SocialPro conference on a Sudoku.com page:

Sudoku screenshot


Opinions expressed in this article are those of the guest author and not necessarily MarTech. Staff authors are listed here.


About the author

Barry Levine
Contributor
Barry Levine covers marketing technology for Third Door Media. Previously, he covered this space as a Senior Writer for VentureBeat, and he has written about these and other tech subjects for such publications as CMSWire and NewsFactor. He founded and led the web site/unit at PBS station Thirteen/WNET; worked as an online Senior Producer/writer for Viacom; created a successful interactive game, PLAY IT BY EAR: The First CD Game; founded and led an independent film showcase, CENTER SCREEN, based at Harvard and M.I.T.; and served over five years as a consultant to the M.I.T. Media Lab. You can find him at LinkedIn, and on Twitter at xBarryLevine.

Get the must-read newsletter for marketers.