Thousands of websites infected to redirect users in Google Ads view-pumping scam

Daniel Sims

Posts: 934   +35
In a nutshell: If you've ever been redirected to a strange-looking Q&A website appearing to promote cryptocurrency or other blockchain technologies, it could be part of an ad-click-pumping scam. Since last fall, thousands of infected websites have been roped into these fraudulent schemes.

Security researchers at Sucuri have spent the last few months tracking malware that diverts users to fraudulent pages to inflate Google ad impressions. The campaign has infected over 10,000 websites, causing them to redirect visitors to completely different spam sites.

Suspect pages often have Q&A forms mentioning Bitcoin or other blockchain-related subjects. Savvy users might assume these sites are trying to sell Bitcoin or other cryptocurrencies, possibly for a pump-and-dump scheme. That may be the case, but Sucuri theorizes that all of the text is just filler content covering up the scam's actual revenue stream, Google ad views.

A clue suggesting this is that many of the URLs involved appear in a browser's address bar as if the user clicked on Google search results leading to the sites in question. The ruse could be an attempt to disguise the redirects as clicks from search results in Google's backend, potentially inflating search impressions for ad revenue. However, it is unclear if this trick works because Google doesn't register any search result clicks matching the disguised redirects.

Sucuri first noticed the malware in September, but the campaign intensified after the security group's first report in November. In 2023 alone, researchers tracked over 2,600 infected sites redirecting visitors to over 70 new fraudulent domains.

The scammers initially hid their real IP addresses using CloudFlare, but the service booted them after the November story. They have since migrated to DDoS-Guard, a similar but controversial Russian service.

The campaign mainly targets WordPress sites, suggesting existing zero-day WordPress vulnerabilities. Moreover, the malicious code can hide through obfuscation. It can also temporarily deactivate when administrators log in. Site operators should secure their admin panels through two-factor authentication and ensure their sites' software is up-to-date.

This campaign isn't the only recent malware drive connected to Google ads. Malicious actors have also been impersonating popular software applications to spread malware to users, gaming Google's ad ranking to appear at the top of search results. For now, those looking to download apps like Discord or Gimp should avoid looking them up through Google.

Permalink to story.



Posts: 265   +180
Any hosting company, server owner, should consider using a combination of active malware scanning (like check the actual contents of an upload) but also deploy Modsecurity with a OWASP ruleset (checks for POSTS to website). The problem with 99.9% of all those wordpress security plugins is that they only protect wordpress itself, but if you target a 'standalone" file such as a leaky script its completely avoided by any of the wordpress security plugins. Best security is set at server, 10x faster and far more reliant. Also pushed updates should always be set to on if you run something terrible like wordpress.



Posts: 8,760   +8,303
I get that, in theory, this is not Google's fault. However, incidents like this have gotten to such a level that without Google, these incidents could not exist, IMO. IMO, incidents like this are all the more reason that Big Tech needs to be reigned in.


Posts: 1,271   +1,842
Not a very helpful report, no mention of what versions of WP are affected, or the specific vulnerability in question, etc.

Feng Lengshun

Posts: 57   +24
Lol, you okay there Google? Seems like you've been having a hard time on so many fronts lately. Maybe, I don't know, try to keep your "world-best developers" more satisfied instead of firing or cancelling their projects left and right?