Researchers discover use of malicious cyber tool to commit digital ad fraud

A company focused on cybersecurity for the media industry says it has discovered that hackers are now using a technique designed to hide malicious code to commit digital ad fraud.

Officials at Devcon told The Hill on Sunday they uncovered the use of the technique — known as a polyglot — on Friday. They said that the use of polyglots, which are considered to be among the more technically advanced techniques available for cyber criminals, points to more hackers committing digital ad fraud.

In a polyglot, users can hide malware within the code for an existing file, like an image. In a successful attack using the tool, a web browser will only load the code for what appears to be its intended purpose, allowing the malicious code to remain hidden while it carries out the attack.

For example, the hackers can manipulate the code to make it appear as if it is only an image. But when a web browser uploads the image, it is also including the malware — a JavaScript code in this case uncovered by Devcon — which can then carry out an attack.

{mosads}The use of the polyglot “suggests that a lot of mainstream hackers are now getting into the ad fraud space,” Maggie Louie, the founder and CEO of Devcon, told The Hill.

In the polyglot uncovered by Devcon, the researchers found that the exploit was hidden in photos in digital ads.

Some of the images found by the firm and shared with The Hill include ones for a service labeled “MyFlightSearch” offering discounted flights for spring break, and for a company labeled “JobsImpact” that said it was hiring and encouraged users to click on the ad to “learn more.”

After the image appears, users can then be redirected to a pop-up offering a scam like a $1,000 gift card to Walmart.

“This all happens automatically without user interaction,” Josh Summitt, the chief technology officer at Devcon, told The Hill. “So the user doesn’t have to click an ad or anything like that for this to happen, it will just redirect them out of the site.”

“Most users, it annoys them,” he added. “Some users actually click on these things and give up their data.”

Summitt and Louie said that once the pop-up appears, other attacks can be carried out, from cryptomining to the installation of a remote access trojan, which effectively gives the hacker access to the user’s device and opens the door to future cyberattacks.

This isn’t the first time that malicious code has been hidden within images to commit ad fraud: In another exploit, known as steganography, pixels for an image will be replaced with code, causing the picture to look degraded.

But in a polyglot, Summitt said, the code is for both an image and the malware, which can hide the inclusion of the malicious code.

Louie said that since Devcon discovered the polyglot’s use in digital ad fraud, the company’s software has blocked it thousands of times on their clients’ sites, which include online publishers and ad networks.

Louie and Summitt said that the widespread use of the polyglot could mean that someone has made it easily available for hackers by including it in a toolkit that they can copy and paste from.

“It is an emerging attack,” Louie said. “I would say for anybody in the cyber world who is working with anybody that is in the advertising world, it’s really important to be aware that this is trending. We’re seeing it peak throughout our publisher network now.”