How hackers are breaking into the advertising industry

To paraphrase the classic children’s book, if you give a mouse a cookie, it’ll just ask for another. But if you teach a mouse to make cookies, it’ll launch a cross-platform marketing campaign to increase the brand awareness of its new line of gluten-free chocolate chip “snackables.”

As it turns out, hackers are a lot like mice.

Juan Guerrero, a senior security researcher at Moscow-based cybersecurity giant Kaspersky Lab, noted that in 2015, his company noticed a significant shift in the the type of sketchy programs appearing across the Internet. 

“The trends have been a little surprising,” he wrote in an email to the Daily Dot. “Over the past year, we saw a decrease in the production of malware to match an increase in the production of adware. Some of these malware authors are catching on to a different revenue stream that doesn’t present as many immediate complications but continues to prey on undiscerning users.”

“Having an adware company also lends a certain legitimacy and legal cover not afforded to malware authors.”

Between 2014 and 2015, analysts at Kaspersky recorded a drop in the number of malware samples they encountered in the wilds of the Internet from 325,000 to 310,000. This decrease was matched by a nearly identical increase in the amount of adware they discovered.

The difference between malware and adware can be subtle. When people think about traditional computer viruses, they’re typically envisioning programs classified as malware. Most malware is designed to covertly implant itself on a user’s computer system and then steal information that can be used later for purposes like identity theft. Adware, on the other hand, covertly implants itself on a user’s computer system and then starts displaying ads—often in the form of annoying pop-ups—to users as they browse the web.

In both cases, the goal of the attackers is financial. However, the shift from malware to adware carries a number of benefits for the attacks.

“The original economic incentive remains the same, but it’s emboldened by more legitimate means of monetization through ad-network payouts and getting to trade on user information valuable to marketers,” Gurrero explained. “Having an adware company also lends a certain legitimacy and legal cover not afforded to malware authors, allowing them to dispute attempts to block their software or publicly disparage their brands.”

Since distributing adware generally isn’t illegal, being identified as the source of adware typically doesn’t carry the same legal risk. Since profits from adware are obtained legally, there’s no need to launder ill-gotten funds, which is often necessary when hackers use malware to steal banking or credit card account data.

In addition, the legality of adware allows the companies producing it to push back against attempts by makers of antivirus products to categorically block their software. However, there is a growing incentive for the producers of cybersecurity products to protect users from adware.

“It’s trading one evil for another…For the victim, it may well amount to the same [thing],” Guerrero insisted. “Adware typically hijacks aspects of the user’s machine to serve undesired content over which the user has no control. This can include being served up malware by hijacked ad networks, so even the most well-meaning adware can serve as a conduit to a malware infection.”

A study published by the cybersecurity firm Cyphort found that, between June 2014 and February 2015, the number of ad networks distributing viruses to the people to whom the ads were displayed had tripled. Many of the instances of malware distribution occurring through ad networks was a result of hackers taking advantage of the ad networks themselves—which happened last September, when Google’s DoubleClick network was found to be unwittingly distributing malware.

Last year, Microsoft took steps toward combating certain strains of adware. In April, the computing giant began categorically blocking adware that causes web browsers to open advertising windows that are intentionally difficult to close, don’t include the name of the program that created the ad, and don’t provide a straightforward way to uninstall the program.

“This year alone, our products detected ransomware on the machines of 750,000 unique users.”

In December, the company took the policy one step further by classifying all adware using so-called “man in the middle” techniques, such as altering DNS settings and network layer manipulation as viruses, which trick a user’s computer into sending data through an untrusted third party instead of just its intended recipient.

“We encourage developers in the ecosystem to comply with the new criteria,” company officials noted in a December blog post. “We are providing an ample notification period for them to work with us as they fix their programs to become compliant. Programs that will fail to comply will be detected and removed.”

Even if other companies follow suit, malware would still pose a significant threat to everyone who uses the Internet. One of the biggest problems is that of ransomware—programs that threaten to make the contents of a user’s computer systems permanently inaccessible unless the victim directly pays the hackers to revert their files back to their original form.

“The amounts tend to be small enough for law enforcement not to take it seriously on an individual basis, but significant enough to add up to a sizable chunk of change for those attackers that manage to infect users in droves,” Guerrero noted. “This year alone, our products detected ransomware on the machines of 750,000 unique users.”

Photo via Rob DiCaterino/flickr (CC by 2.0) | Remix by Max Fleishman

Aaron Sankin

Aaron Sankin

Aaron Sankin is a former Senior Staff Writer at the Daily Dot who covered the intersection of politics, technology, online privacy, Twitter bots, and the role of dank memes in popular culture. He lives in Seattle, Washington. He joined the Center for Investigative Reporting in 2016.