If there's one thing that cyber-criminals are good at, it's at coming up with new ideas to generate profits in the shadiest and sometimes the most original ways.
Among all criminal groups, the most creative bunch are the ones involved with malvertising (malicious ads). Because of the quick pace at which browser vendors tend to patch reported problems, these groups need to come up with new tricks more often than their colleagues involved with desktop or mobile malware.
Over the past few months, security researchers at Malwarebytes, who study the evolution of malvertising groups and their respective campaigns, have observed a new method that crooks are using to generate profits.
The idea is to lure unsuspecting users on malicious websites that show an ad inside a popup. Like most popups, a "close" button will be displayed in the popup's top-right corner.
However, when the user moves his mouse to close the popup, CSS code from that page will expand the popup and move the ad in the cursor's path, so any click on the close button will actually land on the ad instead.
Malwarebytes' Jérôme Segura explains:
The crooks use CSS code dynamically appended to the page that monitors the mouse cursor and reacts when it comes over the X. The timing is important to capture the click a few milliseconds later when the ad banner comes in focus. These client-side tricks are implemented to maximize ad profits, since revenue generated from ad clicks is much higher.
An animated GIF of this old switcheroo trick is embedded below.
Malwarebytes has discovered a malvertising campaign that redirects users to websites where boobytrapped popups automatically adjust an ad's position when users try to press the "close"