Hackers Exploit Ad Tools to Track Victims, Boosting Scam Efforts

By Sana Pashankar | February 16, 2024

Cybercriminals are using advertising tools to make their scams as “clickable” as possible.

In a new kind of email phishing tactic, hackers are sending malicious PDF attachments containing a link that’s registered through an advertising network, security researchers from HP Inc., said in findings released Thursday. When email recipients click the link, which hackers use to collect analytics on the number of clicks that their messages attract, they’re directed to a kind of malware called DarkGate.

Advertising tools allow hackers to more effectively evade detection and, crucially, measure the extent to which their scam operations are successful in much the same way that legitimate websites analyze their internet traffic. Because the link is registered under a legitimate advertising network, it has a more credible URL, which is less likely to draw skepticism by potential victims, according to researchers.

“Cybercriminals are applying the same tools a business might use to manage a marketing campaign to optimize their malware campaigns, increasing the likelihood the user will take the bait,” said Ian Pratt, global head of security for personal systems at HP.

Hackers have also utilized other legitimate corporate tools to advance their operations like PowerShell, a task automation program from Microsoft Corp., and WinSCP, a file manager.

DarkGate malware is capable of collecting keystrokes and accessing sensitive files, according to cybersecurity research. It’s sold on various Russian-speaking cybercriminal forums.

Ad services also help hackers subvert many automated cybersecurity products by including a CAPTCHA test to determine is someone is a human or a bot. CAPTCHAs defeat many cyber tools because the automated nature of their scanning, a standard practice, fails the identity test.

The DarkGate campaign has experimented with different types of PDFs to trick victims, including one depicting a fake OneDrive error and the other in the style of an Adobe Reader interface, according to Alex Holland, a senior malware analyst on HP’s threat research team.

“That’s probably an indicator that they’re actually using these analytical tools to assess which lure is more effective than the other,” Holland added.

Top photo: FORT LAUDERDALE, FL – MARCH 07: Lt. Mike Baute from Florida’s Child Predator CyberCrime Unit talks with people on instant messenger during the unveiling of a new CyberCrimes office March 7, 2008 in Fort Lauderdale, Florida. One of the people on the other side of the chat told Lt. Baute, who is saying he is a 14-year-old girl, that he is a 31-year-old male and sent him a photograph of himself. According to current statistics, more than 77 million children regularly use the Internet. The Federal Internet Crimes Against Children Task Force says Florida ranks fourth in the nation in volume of child pornography. Nationally, one in seven children between the ages of 10 and 17 have been solicited online by a sexual predator. (Photo by Joe Raedle/Getty Images).

Was this article valuable?

Here are more articles you may enjoy.