In a nutshell: If you've ever been redirected to a strange-looking Q&A website appearing to promote cryptocurrency or other blockchain technologies, it could be part of an ad-click-pumping scam. Since last fall, thousands of infected websites have been roped into these fraudulent schemes.
Security researchers at Sucuri have spent the last few months tracking malware that diverts users to fraudulent pages to inflate Google ad impressions. The campaign has infected over 10,000 websites, causing them to redirect visitors to completely different spam sites.
Suspect pages often have Q&A forms mentioning Bitcoin or other blockchain-related subjects. Savvy users might assume these sites are trying to sell Bitcoin or other cryptocurrencies, possibly for a pump-and-dump scheme. That may be the case, but Sucuri theorizes that all of the text is just filler content covering up the scam's actual revenue stream, Google ad views.
A clue suggesting this is that many of the URLs involved appear in a browser's address bar as if the user clicked on Google search results leading to the sites in question. The ruse could be an attempt to disguise the redirects as clicks from search results in Google's backend, potentially inflating search impressions for ad revenue. However, it is unclear if this trick works because Google doesn't register any search result clicks matching the disguised redirects.
Sucuri first noticed the malware in September, but the campaign intensified after the security group's first report in November. In 2023 alone, researchers tracked over 2,600 infected sites redirecting visitors to over 70 new fraudulent domains.
The scammers initially hid their real IP addresses using CloudFlare, but the service booted them after the November story. They have since migrated to DDoS-Guard, a similar but controversial Russian service.
The campaign mainly targets WordPress sites, suggesting existing zero-day WordPress vulnerabilities. Moreover, the malicious code can hide through obfuscation. It can also temporarily deactivate when administrators log in. Site operators should secure their admin panels through two-factor authentication and ensure their sites' software is up-to-date.
This campaign isn't the only recent malware drive connected to Google ads. Malicious actors have also been impersonating popular software applications to spread malware to users, gaming Google's ad ranking to appear at the top of search results. For now, those looking to download apps like Discord or Gimp should avoid looking them up through Google.