Cybercriminals Piggybacking on Google’s DoubleClick for Rapid Distribution

Online banner advertising began in the early 1990s as page owners sought additional revenue streams to support their content. Every popular website tries to generate revenue by setting aside a particular space on its web pages and rent it to Network Marketers. Google Display Network is one such strong group of more than a million websites, videos, and apps, through which Google displays 3^rd party ads. Unfortunately, the website owner has limited control over the ads running on their shared space.

Google’s DoubleClick: A lucrative ‘carrier’ for Cybercriminals!

DoubleClick is the ad technology foundation of Google which aims to create, transact, and manage digital advertising for the world’s buyers, creators, and sellers. Advertisers and agencies strengthen and simplify complex online campaigns, using DoubleClick’s digital ad management platform. Apart from delivery, DoubleClick also provides great analytical features through multiple enhancements or plug-ins to help marketers in formulating and evaluating targeting techniques. These data-driven insights and features have provided Google’s DoubleClick an edge over its competitors and have become hugely popular among marketers and agencies.

But as it’s said ‘you need to pay a price for popularity and successes’; the Cybercriminals have begun to piggyback Google DoubleClick’s ‘reach’ to meet their target too!

Zemot Malware – The Malware spread by DoubleClick ad servers

As per the latest report, Cybercriminals have exploited the power of two online advertising networks, Google’s DoubleClick and popular Zedo advertising agency, to deliver malicious advertisements to millions of internet users that could install malware on a user’s computer. A number of websites, including The Times of Israel, The Jerusalem Post and the Last.fm music streaming website, have become victims and serving malicious advertisements designed to spread the recently identified Zemot malware.

The first impressions came in late August, and by now millions of computers have likely been exposed to Zemot, although only those with outdated antivirus protection were actually infected. According to the report, the malicious advertisements lead users to websites containing Nuclear exploit kit, which looks for an unpatched version of Adobe Flash Player or Internet Explorer running on victim’s system. I found one, it downloads the Zemot malware, which then communicates it to a remote server and downloads a wave of other malicious applications.

The Zemot malware focuses on computers running on Windows XP, although it can also infect more modern operating systems running on x86 and 64-bit machines. The malware can easily bypass the security software installed in the system before infecting computers with additional malware, therefore it is difficult to identify.

‘Malvertising’- Whom to blame?

Malware served through ad units (or “malvertising”) is nothing new, but this incident is notable because of the unusually broad reach of the attack. This has become possible due to the sharp increase of online display advertising fuelled by Google DoubleClick’s reach. Google has confirmed the breach and has shut down all the affected servers which were redirecting malicious code and disabled the ads that delivered malware to user’s computers.

We highly think it’s a wake-up call to all stakeholders of online advertising. Publishers need to be more aware of the ads they are displaying on their website, network marketer needs to go for malware scanning of the landing web-pages before displaying them on their network sites and the end-users need to use the latest and updated software/ plugins.