How ads enable malware — a practical example

The other day I noticed a rather familiar-looking ad popping up in my Twitter feed:

Oh, hello there

You’ve probably seen ads like this too — racy image (so far only female), legitimate-looking account (and it is indeed legitimate and belongs to an active Twitter user who is likely unaware that anything nefarious is going on), and a bunch of gibberish text around the ad: clear signs of automated activity. What struck me about this particular example was the callout to → of course, this isn’t the URL you’d go to if you actually clicked on the ad. But it’s a sign that the gibberish generator is getting better and beginning to appear more legitimate. Future versions of this malware are bound to pass the snuff test even easier.

So, what happens if you were to click on the ad? I saw that it linked out to a PHP script; Taka Özket looked into it further:

Embedding threaded conversations from Twitter is *really*hard. Easier to screenshot.

So there you have it — the PHP script points to a Chrome extension (and looks like there were versions for other browsers too) that then captures login and usurps the account. The worst part is the affected user doesn’t know: they won’t see the promoted ads in their timeline and will only notice if they go to look at their account on (not an obvious step, especially if you’re not actually interested in running ads).

I asked Taha to take a screenshot of the Chrome extension — ̶i̶t̶ ̶a̶p̶p̶e̶a̶r̶s̶ ̶t̶o̶ ̶h̶a̶v̶e̶ ̶b̶e̶e̶n̶ ̶r̶e̶m̶o̶v̶e̶d̶ ̶s̶i̶n̶c̶e̶ ̶b̶u̶t̶ ̶h̶e̶r̶e̶’̶s̶ ̶w̶h̶a̶t̶ ̶i̶t̶ ̶l̶o̶o̶k̶e̶d̶ ̶l̶i̶k̶e̶ (nope, still there, just unlisted; scroll down to the bottom for a new screenshot and update):

Malware remains a challenge for any self-service platform and is rapidly contributing to consumer disaffection with digital ads altogether. So what’s a platform to do to proactively mitigate these types of exploits? 3 things readily come to mind:

  1. Vet that display URL and clickout URL point to the same domain and automatically flag those that don’t for further review. This type of easy filtering would have caught this exploit: the display URL was and the offending URL where the PHP script resided most certainly wasn’t on a Google domain.
  2. Make sure users can report malware and threats. Here are Twitter’s options for reporting content — which one would you use?

3. Respond to concerns raised on your platform. In spite of tagging a variety of support-oriented accounts, reporting, and generally following all the options available there’s been no reaction from Twitter so far (3 days later). The good news is the Chrome extension seems to have disappeared from the extensions store. If I were an ad buyer (and I work with many buyers and strategists daily) I’d be very alarmed by this type of behavior.

Stay safe out there friends — the (self-serve) advertising waters can be murky. And do report scams when you see them: collective filtering helps a ton. In the words of Hill Street Blues: let’s be careful out there.

Special thanks to Taha Özket, andrea lopez and everyone else who commented on the original thread.

Luke found a similar-patterned ad in his feed — you can spot the formula:

UPDATE: Chrome extension is still there, just appears to be unlisted (which explains why it didn’t come up for me when I searched for both extension name and developer name; once again, Taha Özket did the sleuthing, and I’m just doing the reporting). In the span of 3 days from initial screenshot in the post above to the one below it seems to have grown by some 750 users who have been affected — and this is just on Chrome):

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.