Research Saturday 3.25.23
Ep 274 | 3.25.23

Popunders are not the good kind of ads.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyber space. Thanks for joining us.

Jerome Segura: Yeah. So I've been looking at something called pop-unders, which is - you know, you're browsing the web, and you click on the page. And there is a window or a tab that opens in the background. So that's called pop-under. 

Dave Bittner: That's Jerome Segura, senior threat researcher at Malwarebytes. Today we're discussing his research "WordPress sites backdoored with ad fraud plug-in." 

Jerome Segura: And it's a form of advertising - definitely not the better kind. I was looking specifically for pop-unders because, you know, it's - you can find all sorts of interesting things in terms of malware campaigns. Most of the time what I find is called malvertising - so malicious ads that push something like a fake, you know, browser update or a fake Microsoft page. There's all sorts of different kind of payloads that it can put. But I've also come across a few ad fraud schemes recently. 

Jerome Segura: And I was kind of hunting, you know, within the pop-under traffic to see, OK, what am I going to find? Playing with the different geolocation - so if, you know, if you come from the U.S. you're going to get, you know, different kind of traffic than if you come from Europe, for example. Different user agents - so using Chrome, Firefox and, you know, just seeing what kind of, you know, traffic I'm getting. And this one was interesting because the pop-under, you know, loaded a website that appeared to be a WordPress site. 

Jerome Segura: You know, I could have easily closed it or think, OK, this is nothing interesting here. But what I noticed is a few seconds after the site had been loaded, the page started to scroll down. And I was like, OK, that's interesting. I'm not actually doing anything. The page is scrolling down. 

Dave Bittner: That's a little unsettling. 

Jerome Segura: Yeah. 

Dave Bittner: (Laughter). 

Jerome Segura: And that's kind of where I thought, OK, there is something here that's going on. You know, this is not just a legitimate website. There is malicious code behind it somehow. And then I started digging more into it. 

Dave Bittner: Well, before we dig into this particular instance, I have to ask, how do you go about hunting for pop-unders? 

Jerome Segura: Yeah, that's a good question. So, you know, within the ad ecosystem, there are different players. And those players, you know, you can - there's kind of top players that are - I would say, you know, the ones that are pretty much, you know, very legitimate. And then there's the middle players, and then there's the bottom players, which, you know, you're going to find a lot of shady traffic if you go through those. So then it's just a matter of finding particular websites that you know are going to trigger this kind of traffic, so pop-unders or pop-ups. 

Jerome Segura: And, you know, if you want to take a shortcut, there's basically, you know, a few types of websites that do that. Anything that's pushing, you know, streaming content or free downloads are notorious for pushing a lot of ads and - as well as adult websites. So if you visit some of those websites, you know, with minimum security in terms of having no pop-up blocker or ad blocker or any security product on your machine, chances are, you know, somethings bad is going to happen. You're going to - your machine is going to get infected, or you're going to get, you know, all sorts of scams popping up. 

Jerome Segura: And that's just, you know, kind of part of my job. I don't do that all the time because it's pretty consuming. But, you know, every now and again, I know where to look, and I'll spend, you know, maybe an hour hunting and see if anything comes up. And usually, you know, I can find something interesting. 

Dave Bittner: Yeah. I'm curious. I mean, do most modern web browsers protect their users against this sort of thing? I don't recall seeing very much of it lately. 

Jerome Segura: Yeah, I mean, so pop-ups in particular - typically they are blocked by most modern browsers. So if you're using Chrome, I think it's even enabled by default that, you know, a pop-up will be blocked. And you see even a notification at the top of your browser. You know, obviously, there's a lot of money to be made. So there's incentives to write code that will defeat that kind of technology. 

Jerome Segura: So the pop-under that I saw is, it's actually made - the code for it is pretty long, just to trigger based on the click and then open the window. And, you know, it wasn't blocked by Google Chrome, and I tried in other browsers as well. I didn't spend too much time trying to identify what it's doing, but it was a bunch of JavaScript code that, you know, would trigger based on the click. And yeah, so, you know, it's still a problem, you know, especially - you know, I hear people all the time saying, you know, I don't see any of that, and a lot of them are using some kind of ad blockers. So that would take care of a lot of the problem. But there are some sites that know you're using an ad blocker and very specific code that can bypass it as well. 

Dave Bittner: I see. Well, this particular research that you are describing here sort of intersected with WordPress sites. What specifically about WordPress made it, you know, a viable target for these folks who are trying to make these ad pop-ups work? 

Jerome Segura: Yeah. So WordPress is known for blogs, although as a platform, it's not just for blogs. It can do full sites as well, but it's typically to publish content. And in the context of advertising, content is really important for things like SEO ranking. So it's not unusual to see, you know, platforms like WordPress with blogs that are being used to defraud advertisers. Typically, the content is stolen. So, you know, a threat actor will copy and paste articles and then create a blog and just have all those articles. 

Jerome Segura: In this particular case, what drew my attention was, you know, I found that one website, and I noticed that if I visited the same website with its, you know, actual domain name, it wasn't doing any kind of weird behavior. It was only if I entered the website through that specific link. And when I looked closer, that link, the full URL, was part of a plug-in. And I did a bit of research on the plug-in - it was called Fuser-master - and couldn't find much information about it other than one website that was showing - that's kind of scraping the web and showing, OK, this plug-in is used on a few dozen websites that are WordPress out there. They all have this plug-in. 

Jerome Segura: OK, but, you know, you couldn't download the plug-n. It was - there was no author. It was just a plug-in. So I kind of thought, OK, somebody wrote that plug-in specifically for ad fraud. And then it was a matter of, you know, why is this plugin on all of these websites? What do they have in common? 

Dave Bittner: And what do they have in common? 

Jerome Segura: So what I found is - I went back to the pop-under, and I tried to replicate clicking on it. So I, you know, I erased my browser cache and then I revisited the same site, clicked, triggered the pop-under, and then I got another blog that was doing the exact same behavior. I was like, OK, there's more than one. So then I realized, OK, all these blogs, all - what they have in common is they all use this Fuser-master plug-in. And then it took a bit more research to kind of dig into, OK, who may have created those blogs? Or are these blogs - you know, have they been hacked and injected with that plug-in? 

Jerome Segura: I wasn't sure. But, you know, looking at the previous versions of some of the blogs using the Internet Archive, I saw some things that, you know, pointed to a web developer in India and, you know, found his site and then his - what was funny is his portfolio and his website actually included several of these WordPress blogs that were performing the ad fraud. So then it was, OK, I can't really prove he's the one that created the plug-in, but it's kind of a weird coincidence that, you know, all of these sites end up in his portfolio. And actually in his portfolio, if you browse on the thumbnail for each of his sites, there is the same kind of up-and-down scrolling that I was noticing in the ad fraud. So I was like, OK, that's a lot of signs that point... 

Dave Bittner: (Laughter). 

Jerome Segura: ...You know, in that direction. 

Dave Bittner: What do you suppose is going on here? I mean, is this a developer who is making legitimate sites for folks but then adding this onto it for his own benefit? Or are the sites themselves just placeholders to be able to activate this ad fraud? 

Jerome Segura: Well, I mean, definitely, you know, that individual is a web developer. He builds websites, and there's no question about it. He is - one of his - he's actually active in the WordPress community as well, asking questions in forms about different plug-ins and such. So he could have made some of the sites, you know, to do ad fraud. He could have built those sites, added the content, and then essentially bought traffic from pop-unders and then redirect that traffic to some of those websites and earn, you know, income. Or, you know, those sites could have been websites that he built for customers and then, you know, without telling the customer, included the plug-in that he still controlled and then, you know, was able to monetize from it. I tried to verify, you know, some of these theories. I couldn't really - you know, nothing was really strong enough to indicate any of them were valid. I did contact one of the website owners, which was not this developer, as far as I know - contacted by email, did not receive a reply. But within the next hour, the plug-in had been removed from their website. So... 

Dave Bittner: Oh, interesting. 

Jerome Segura: Interesting. 

Dave Bittner: (Laughter) That is interesting. Tell me about the JavaScript code that is doing the scrolling and that sort of surreptitious activity because there's some interesting things with that, right? 

Jerome Segura: Yeah. So one of the things you notice is once the blog is loaded, again, through that special URL, you'll notice that they're scrolling up and down. And that's just JavaScript, essentially, that uses some functions to control the scrolling. It's pretty much random, and it just happens, you know, within - you know, within different intervals, I'd say probably for about a minute, a minute and a half, on the current page, varies that scrolling. And you got to remember that this is a pop-under. That means the user is still on their other tab or window, is not seeing that blog at all. That tab could remain active for, you know, minutes or even longer until the - you know, the user actually closes all of his browser's windows. So the code does that. And then, after about a minute and a half, during that time, it collects a bunch of links that are on our website, making sure to ignore external links - so it only collects internal links to that blog - and then visits one of them randomly. So in essence, it's - what it's doing, it's really mimicking user activity. It's reading the current article, browsing up and down, and then after a minute, a minute and half, will click on the next article, and continue the same process. And it does that basically forever until it's being interrupted. And there are some conditions where it can get interrupted, which ironically is when there is really activity. So... 

Dave Bittner: (Laughter). 

Jerome Segura: There is a bit of JavaScript that will check if the user's mouse is on the actual page and has moved or clicked. And if it has, then all of a sudden, it just stops. And the blog, the page, becomes static. There's no more scrolling, no more redirecting to different links. That's it. So it's like - you know, it doesn't want to show that behavior because the user, all of the sudden, has put that tab in focus, and, you know, time's up. No more ad fraud. 

Dave Bittner: Right. Well, why the scrolling? What does that accomplish for them? 

Jerome Segura: So I think the scrolling - you know, ad fraud is not my specialty. But from what I understand, it's part of - and there's actually another bit that I forgot to mention - that's part of the, you know, recreating traffic that appears as legitimate as possible for the ad networks. So you think about a page that's being loaded. There is a bunch of data that's being collected. So whether you're - you know, you're dealing with Google or other ad networks, they want to find out if the traffic is legitimate. So having this kind of user activity on top of other elements such as, is this a real IP address, you know, for example, is the user, you know, having a residential IP instead of using a VPN, things like that - it's all trying to determine whether this is a legitimate session or not. And if it's not, you have the ad networks and the companies that work in the ad fraud space, which also load their JavaScript within, you know, pages, that will stop rendering ads so that, you know, advertisers are not losing money for nothing. 

Jerome Segura: But one thing that I did forget to mention is in order to make these websites appear legitimate, it would be - you know, you wouldn't want to show the entry point being the pop-under from, you know, some shady website, you know? Google would check the - referencing. This came from this website. Yeah, this is low-quality traffic. We're not going to allow ads on that page. So what it's doing is, again, using the fuser-master plugin, once it loads the entry point, it's like you get in the site. And then you get back out. And you come back in using an open redirect. An open redirect is essentially a redirection in your browser that can happen from a search engine. So let's say, you know, you search for a keyword on Google. You click on the link. That's going to redirect you. You can do the same thing - you can simulate all of that with a single URL, which is called an open redirect, as long as you provide certain parameters. So that's exactly what they're doing here. You enter the blog. Then you leave the blog briefly. And then you reenter. And the open redirect URL has certain keywords. So based on the blog, it can be - some of them were for moms, you know, have keywords like mom, baby and stuff like that. When the ads are going to be loaded, what you get is, OK, it's traffic, first of all, from a legitimate user IP and what appears to be from a Google query - so you know, organic search, SEO, and then clicking on the link - which is not the case at all. 

Dave Bittner: Yeah, that is interesting. So how contained is this? Is this something that folks who are running WordPress sites need to be concerned about? Or do we feel as though the folks who may be running this have kept it kind of to themselves? 

Jerome Segura: Yeah, I don't think - you know, it could be an interesting - I think that's where I was trying to figure out, OK, this is not very widespread. I think I found about only 50 websites. So if it was a true attack against WordPress sites, you would see, you know, hundreds of thousands. It could be used as an attack. I mean, we see things all the time where, you know, threat actors will put redirects in WordPress blogs or anything like that. So it could, you know, potentially be used that way. You'd have to inject that plug-in, you know, with admin rights. And then you would basically use all those sites for advertising purposes. I don't believe this is the case here. I believe it's just a fairly small operation. But, you know, somebody like - I'm sure there's a lot of people out there that are, you know, trying to figure out, how can I make money from ads? And, you know, what kind of shortcuts can I take? So you know, in this case, they're like, OK, well, you know, we can purchase pop-under traffic, which is quite cheap. And then we'll just monetize it with some content that - you know, loads and loads of content and then make it appear that people are actually visiting those websites. And I think the top one that I found had about three or 4 million visits a month, which is - you know, it's not huge, but it's fairly decent. And I think the average time on the site was, like, 17 minutes or - you know, it was long enough and lots of page visited. So if you think about it, all these ads being loaded for that amount of time, with three or 4 million visitors a month, that's a nice living where you don't have to do anything. So I think, yeah, my blog was really to kind of expose this and show, you know, that it's one of many ways to defraud advertisers. And, you know, it's not - it's really not that complicated. And pop-unders are really a great format for doing this because, you know, like I said, they're cost efficient. And, you know, people - you know, unless you close all your windows, that pop-under is going to be in the background. 

Dave Bittner: Yeah. 

Jerome Segura: And, you know, you're going to be participating in ad fraud. 

Dave Bittner: Our thanks to Jerome Segura from Malwarebytes for joining us. The research is titled "WordPress Sites Backdoored with Ad Fraud Plugin." We'll have a link in the show notes. The CyberWire "Research Saturday" podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Elliott Peltzman. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.