Magala Click Fraud Affects IE8 and Up
Posted by: Timothy Weaver on 07/13/2017 07:52 AM
[
Comments
]
According to Kaspersky Lab researchers, there is a new piece of malware that is providing click-fraud profits to the criminals.
The malware affects IE 8 and above, but doesn't do any lasting harm to the system. But it does cheat companies who pay for legitimate online ad services.
Named Magala, the malware will initialize a virtual desktop in order to execute its operations, including setting up autorun, sending a report to a hardcoded URL and installing the primarily payload.
Part of the payload consists of loading a toolbar for the MapsGalaxy browser hijack which then alters the system registry in order to make the MapsGalaxy the default home page.
"Magala then contacts the remote server and requests a list of search queries for the click counts that need to be boosted," Kaspersky explains in its blog post. "Using this list, the program begins to send the requested search queries and click on each of the first 10 links in the search results, with an internal of 10 seconds between each click."
The highest number of infections found by Kaspersky occur in Germany and the U.S.
"There are two characteristic features to this malware class which make it difficult to deal with," the Securelist blog post reads. "Firstly, there is the borderline functionality that blurs the lines between legitimate and malicious software. It has to be clarified whether a specific program is part of a secure and legal advertising campaign or if it is illegitimate software performing similar functions. A second important aspect of this class – its sheer quantity – also means a fundamentally different approach to any analysis is required."
The method of delivery is still unknown.
Source: SCMagazine
The malware affects IE 8 and above, but doesn't do any lasting harm to the system. But it does cheat companies who pay for legitimate online ad services. Named Magala, the malware will initialize a virtual desktop in order to execute its operations, including setting up autorun, sending a report to a hardcoded URL and installing the primarily payload.
Part of the payload consists of loading a toolbar for the MapsGalaxy browser hijack which then alters the system registry in order to make the MapsGalaxy the default home page.
"Magala then contacts the remote server and requests a list of search queries for the click counts that need to be boosted," Kaspersky explains in its blog post. "Using this list, the program begins to send the requested search queries and click on each of the first 10 links in the search results, with an internal of 10 seconds between each click."
The highest number of infections found by Kaspersky occur in Germany and the U.S.
"There are two characteristic features to this malware class which make it difficult to deal with," the Securelist blog post reads. "Firstly, there is the borderline functionality that blurs the lines between legitimate and malicious software. It has to be clarified whether a specific program is part of a secure and legal advertising campaign or if it is illegitimate software performing similar functions. A second important aspect of this class – its sheer quantity – also means a fundamentally different approach to any analysis is required."
The method of delivery is still unknown.
Source: SCMagazine
Comments
