Over the past weeks, security researchers from Sucuri and Malwarebytes have discovered two campaigns that abuse hacked and fake websites to push Google ads and trick users into clicking these advertisments, for the crooks profits.

In both campaigns, which appear to be unrelated, the crooks abuse AdSense, Google's service that allows website owners to insert ads on their sites.

Hacking sites to inject overly aggressive ads

The first campaign was detected by security researchers from Sucuri, a company specialized in web security.

The company's experts were called in to investigate a series of hacked websites that showed giant ad panels on top of their content.

Overly aggressive Google AdSense ads
Overly aggressive Google AdSense ads [Source: Sucuri]

The owners of these sites had a hard time discovering how the ad panels appeared. According to Sucuri, attackers compromised the sites and either inserted the JavaScript code manually inside the website's source code or had altered core CMS files to load the JavaScrit code automatically.

These attacks didn't target one specific type of platform, and the attackers compromised sites running on WordPress, Joomla, Magento, and even static HTML sites.

In some cases, the attackers appeared to have compromised the WordPress admin account as well, since the malicious code had been added to the site using a widget, and not by editing source files.

According to Sucuri, these gigantic ads appear on both mobile and desktop versions of the compromised sites, and attackers used a filtering system to show the ads only to real users.

Moreover, because of the aggressive techniques used by the hackers to show their ads, if Google were to penalize someone, ironically it would be the legitimate site owner because "every publisher is responsible for the content of a site on which their ad code is placed," according to the official AdSense policy.

"If a site is found in violation of our policies, we will notify any publisher(s) whose ad code is on the site," the policy continues. According to Denis Sinegubko, the Sucuri expert who discovered these hacks, "it's easier to find the legitimate publisher ID if you inspect the site because the attacker’s ID is being loaded on the fly from a third-party server."

Clickbait blogs disguise as adult portals to harvest user clicks

The second campaign that aggressively pushed AdSense ads was discovered by Malwarebytes and didn't involve hacked websites.

This campaign revolved around shady blogs, created by scraping content from legitimate sites.

Crooks pushed web traffic to these sites by using various black hat SEO techniques that tricked Google and other search engines into ranking these websites above others.

Via a traffic filtering system crooks also separated real users from search engine bots, and users that arrived on the sites via redirects or by manually typing in the URL (security researchers).

Bots and users manually typing in the blog's URL would see the blog, in its natural state, but for users arriving on the site via redirects, the blog would be hidden under an overlay that showed a fake adult portal.

Users loading one of the site's videos, when attempting to play the adult movie, would unwittingly click on a hidden ad, made invisible by the site's owners.

Fake adult portal that tries to trick users into clicking on a hidden ad
Fake adult portal that tries to trick users into clicking on a hidden ad [Source: Malwarebytes]

So basically, users that didn't want to visit the adult site in the first place were trying to play a nonexisting video but actually clicking on a hidden ad.

And advertising companies still wonder why more and more people are installing ad blockers.