• United States



Contributing writer

Click-fraud malware now used for Russian propaganda

Apr 29, 20153 mins

Malware typically used artificially inflate advertising revenues is now being used to promote Russian propaganda on the Dailymotion

Malware typically used artificially inflate advertising revenues is now being used to promote Russian propaganda on the Dailymotion video site, according to a report released today by Trustwave.

According to the report, the malware campaign starts out with the Angler exploit kit, which installs the Bedep Trojan on victim computers. Bedep is typically used for click fraud, said Ziv Mador, VP of security research at Chicago-based Trustwave Holdings, Inc.

Lately, however, it’s been used to drive up traffic to videos on Dailymotion, a video site based in France.

“It automatically loads movies from in a way that the user of the infected machine cannot see,” said Mador.

This artificially inflates the view counts of these videos, making them look more popular than they are — and causing them to be featured on the front page of the site.

Mador discovered several videos that were promoted this way, each one with a very similar view count of about 320,000 views, and identical historical trend charts.

One visible sign that the traffic was faked, he said, was that despite the high view numbers, there were practically no social sharing or comments on these videos.

“Usually when you go to movies that are popular, there are Tweets and Facebook shares, he said.

To some extent, the tactics are working. On Tuesday, one of these pro-Russian videos was the second featured video on the home page of the site, Mador said.

The videos themselves are from third-party sources. One front-page video, for example, “Why Ukraine matters to the U.S. & Russia,” is from CNN. But despite over having 340,000 “views,” the video has received no Facebook shares, Tweets, or comments.

“We believe that the vast majority of those views are not real,” said Mador.

In addition, he pointed out, the video’s historical views chart is identical to that of “Russia Defends Visit to Norwegian Island Despite Sanctions,” which is a video from Wochit, a company that makes quick news-summary videos. In this case, the video relies on a Reuters report, and also has around 340,000 views, and no social shares or comments.

By comparison, a video of an earthquake in Nepal, with 258,000 views, has almost 700 Facebook shares.

Using click-fraud malware for political propaganda purposes is something new, Mador said.

“We believe that these are hackers who favor the Russian view,” he said.

The malware is also being used for its traditional purposes – to generate fake clicks on ads, and to generate fake views for run-of-the-mill, non-political videos such as celebrity gossip.

He added that since the malware itself is a common, well-known type most anti-virus should be able to protect against it, as do Web gateways such as those offered by Trustwave.

“The way the Trojan is distributed is using Web-based exploits of known vulnerabilities in Flash and Windows,” he said.

All it takes is a visit to a compromised website.

“Gateways block it at that point, before its even delivered to the user machine,” he added.