Adometry Malware Lab Identifies New Online Ad Hijacking Scheme

Sophisticated Attacks Target Video, Display, and Search Campaigns to Commit Fraud

AUSTIN, Texas – Adometry, Inc. (formerly Click Forensics) announced that the Adometry Malware Lab has discovered a new highly sophisticated advertising fraud scheme targeting online video, display and search advertisements. The coordinated attack, called “ad hijacking,” uses similar malware and infection delivery methods to create a network of computers aimed at committing advertising fraud through different kinds of advertisements and channels. The ad hijacking attack affects online advertisers, ad networks, and publishers. More details of the Lab’s findings can be found at:

“In the past, advertising fraudsters have mainly set their sights on the search advertising industry,” said Paul Pellman, CEO of Adometry. “This is the first attack we’ve seen that coordinates advertising fraud across many different online ad channels.”

The Adometry Malware Lab first identified the new ad hijacking scheme and malware delivery method in November 2010. Rather than requiring a user to download malware via a fake anti-virus program, the malware injects itself into the rootkit of a user’s computer through an advertisement on a popular web site or simply when a browser visits a particular web site. Once it successfully infects the computer, the malware receives instructions from a host to perform multiple kinds of advertising fraud, including search hijacking, display advertising impression inflation, and video advertising fraud. The attacks are conducted in the following ways:

Search Hijacking – when a user enters an organic search term, the malware program re-directs the browser through different ad networks and arbitrage companies. Visitors can end up on sites they had no intention of visiting, and advertisers pay for unintentional and invalid clicks. Alternatively, visitors can reach their intended destination after being rerouted through several arbitrage networks, resulting in advertisers paying for audiences they would otherwise have for free. In addition, the malware program can be instructed to auto-click on specific ads on certain publisher sites and networks even when a browser session is inactive.

Video Ad Fraud – the malware hijacks an organic search and redirects the user’s browser to a web page that displays a video ad. The video plays and the advertiser is charged for the impression, which can command premiums of $30-$50 per thousand impressions (CPM).

Display Impression Inflation – hidden in the background from the user, the malware can direct the computer’s browser to various publisher pages that show display ads in order to generate fraudulent ad impressions. The user never sees these impressions, but advertisers pay full price for seemingly valid impressions because a “real” visitor generated the traffic.

Between November 2010 and May 2011, the Adometry Malware Lab has tracked the advertising scheme across many online ad networks and publishers. While difficult to quantify, the frequency with which Lab machines were infected indicates that tens or hundreds of thousands of computers are likely infected, generating millions of invalid clicks and advertising impressions per month. The Lab has found only one antivirus program capable of identifying and preventing the ad hijacking scheme’s malicious malware program from being installed.

For more information on Adometry, visit or follow on Twitter: @Adometry.

About Adometry

Adometry, formerly Click Forensics, provides scoring, auditing, verification, and attribution metrics to optimize results for online advertisers, agencies, publishers, and ad networks. Tracking billions of impressions in real-time, reporting on where they appeared, for how long, and to what effect; the Adometry mission is to bring greater levels of transparency and accountability to the online advertising industry. Headquartered in Austin, Texas, Adometry is privately held and backed by Sierra Ventures, Austin Ventures, Shasta Ventures and Stanford University. For more information visit

Adometry is a trademark of Adometry, Inc. Click Forensics is a registered trademark of Click Forensics, Inc. All other company and product names mentioned are used only for identification and may be trademarks or registered trademarks of their respective companies.