The anti-fraud firm eZanga claims that it has detected a malicious campaign which is stealing paid and organic traffic from legitimate businesses and redirecting it to all kinds of nefarious-looking websites.
The company’s experts say that this happens after cyber criminals hack into websites which usually run CMSs, like Joomla and WordPress, and alter their source code.
The attackers are searching for websites where the jQuery JavaScript library is loaded, and replace the standard jQuery.min.js file with jQuery.min.php.
The malicious PHP file watches the website’s incoming traffic and selects a victim whom it redirects to another website under the hacker’s control, where adverts are displayed to users.
In this way, cyber criminals are stealing a website’s legitimate traffic, either coming via search engines or paid advertising campaigns.
In fact, replacing jQuery.min.js with jQuery.min.php is an old trick. Some time ago, hackers used it to inject websites with hidden links in order to boost the SEO rankings of their own domains.
The webmasters of the hacked websites are slowly losing users and their sites’ reputation. Ad networks that show advertisements on these websites lose money.
This is due to the fact that the jQuery.min.php script enables the hacked website to load, waits for a few seconds, and redirects the user to another website.
Due to the small delay, the adverts load on the hacked websites, however, users never get a chance to click them, being transferred to another URL.
Ad networks lose money because, for some of their ads, webmasters get paid by impression. Besides, webmasters also lose money in pay-per-click campaigns because users don’t get to click on the ads before being redirected.
“Advertiser’s who dedicate budget to converting sources are the most affected. They simply see a converting user coming from certain source, thereby dedicating additional budget towards that source. If advertisers have optimized campaigns around traffic from these converting sources, it’s entirely possible you’ve whitelisted performing, infected websites, thereby perpetuating the problem off of these stolen visitors,” an eZinga spokesperson explained.
