Cyber criminals based primarily in Russia hijacked ads on Pornhub to infect viewers’ computers with malware, causing millions of dollars in damages, according to a US indictment.
Eight men – six from Russia and two from Kazakhstan – have been charged with cyber crimes. Three are awaiting extradition, while the others remain at large.
According to the unsealed indictment, businesses were left paying out more than $29m for ads which were never viewed by real human internet users.
Also unsealed were seizure warrants allowing the FBI to take control of 31 internet domains and take information from 89 computer servers to shut down the botnet globally.
The cyber criminals’ activities were detailed by information security firm Proofpoint, which explained how the attack on Pornhub worked.
Web browsers which navigated to Pornhub’s website were shown a fraudulent pop-up telling them to install an update to their web browser, or the Adobe Flash plugin.
But instead of a genuine update the downloaded file took control of the victim’s computer and began to run a hidden process clicking on ads which the criminals hosted on a fake web page.
Advertising fraud is a serious issue for web giants Facebook and Google, which generate the overwhelming bulk of their revenues by telling advertisers that their ads are reaching real people.
The use of bots to provide fake impressions is so prevalent on the internet that some advertisers only receive $0.01 for every $1 of impressions they pay for.
According to the justice department, the conspiracy required extensive efforts from the criminals to conceal that the ad impressions were computer generated.
“To create the illusion that real human internet users were viewing the advertisements loaded on to these fabricated websites, the defendants programmed the data centre servers to simulate the internet activity of human internet users,” it said.
This meant the servers were programmed for “browsing the internet through a fake browser, using a fake mouse to move around and scroll down a web page, starting and stopping a video player midway, and falsely appearing to be signed into Facebook”.
Details about browsers are all stored in cookies, which advertisers can check to gain more information on users.
The 13-count indictment charges eight men with various cyber crimes, including wire fraud.