Popup enlarges at the last second so users click on ads instead of ‘Close’ button

March 31, 2019

If there’s one thing that cyber-criminals are good at, it’s at coming up with new ideas to generate profits in the shadiest and sometimes the most original ways.

Among all criminal groups, the most creative bunch are the ones involved with malvertising (malicious ads). Because of the quick pace at which browser vendors tend to patch reported problems, these groups need to come up with new tricks more often than their colleagues involved with desktop or mobile malware.

Over the past few months, security researchers at Malwarebytes, who study the evolution of malvertising groups and their respective campaigns, have observed a new method that crooks are using to generate profits.

The idea is to lure unsuspecting users on malicious websites that show an ad inside a popup. Like most popups, a “close” button will be displayed in the popup’s top-right corner.

However, when the user moves his mouse to close the popup, CSS code from that page will expand the popup and move the ad in the cursor’s path, so any click on the close button will actually land on the ad instead.

Malwarebytes’ Jérôme Segura explains:

The crooks use CSS code dynamically appended to the page that monitors the mouse cursor and reacts when it comes over the X. The timing is important to capture the click a few milliseconds later when the ad banner comes in focus. These client-side tricks are implemented to maximize ad profits, since revenue generated from ad clicks is much higher.

An animated GIF of this old switcheroo trick is embedded below.

In a report published this week, Segura said this trick was being abused by a group who has been recently involved in exploiting a WordPress plugin zero-day to take over sites.

The group planted code on these hacked sites to hijack small amounts of traffic that they’d later redirect towards various types of sites –such as tech support scams, sites performing ad fraud, or online stores hosting credit card-stealing code.

Traffic redirection diagram — Image: Malwarebytes

This trick of moving the ad in the place of a popup’s close button is just the latest in a long line of sneaky gimmicks.

In the past, crooks would trigger thousands of downloads until they froze users’ browsers on tech support scams, making them believe their computer had serious problems; they’d create JavaScript infinite loops to keep the CPU at 100 percent and slow down the user’s computer; or they’d use custom cursors to offset the mouse click area and prevent users from closing tabs [this has been recently fixed].

Since this latest trick of quickly transposing an ad’s position uses CSS code, it can’t be blocked by a classic ad blocker. However, using an ad blocker would prevent the ad getting loaded inside the popup in the first place, and would make this trick useless.