MosQUito: The jQuery exploit that has your brand safety at risk

Advertisers, your brand safety is in jeopardy, and it’s not from a seedy traffic provider either. Rather, it’s human traffic that converts, and may appear on your whitelist. Your third-party traffic scoring provider has even given this source of traffic their coveted two-thumbs up.

But, there’s a big problem with this traffic. It’s converting, but not by choice.

Quietly lurking in the backend code of content management systems, hidden even to the trained eye, is a dangerous threat. jQuery.min.php is a script in which fraudsters are using to redirect actual website visitors to unsuspecting advertisers, and when that happens, the fraudster gets paid.

It’s easy to overlook; over 41.6-million websites use jQuery for their records, which is a legitimate form of JavaScript. However, the legitimate line of code is jQuery.min.js, not jQuery.min.php.

This malicious script, which we’ve called MosQUito, quietly sucks traffic away from the infected website and takes it elsewhere, and you have no idea it’s happening until the damage is already done.

How does MosQUito work?

Visitors on an infected jQuery.min.php website begin their user experience just as they would any other visit. They click and engage with the page, producing natural human movements which convert on advertisements and drive additional page views. Most of these visitors leave the website completely unaffected by MosQUito.

However, some visitors are forced into a pay per click link that is not making the website money. The website owner infected with MosQUito isn’t responsible or aware of any wrongdoing, and is seemingly unaware this redirect is taking place. And, since it is natural human traffic, it slips past third-party traffic scoring providers, too.

Of course, for many, the user experience often remains healthy and intact, even on websites infected with MosQUito. However, as random users click on links on infected websites, those redirected elsewhere often end up confused, irritated, or unaware, thinking this is part of the website’s user experience.

And when enough users are redirected to unsuspected advertisers, they are bound to convert by filling out an offer or making a purchase.

A user’s perception of MosQUito

Generally speaking, most users won’t know what to make of MosQUito. They’ve typically interacted with an infected website as they routinely visit it, were enticed by a paid advertisement, or stumbled across it organically.

For example, a user browsing their local hardware store’s website might find it odd if they’re suddenly redirected to a big box hardware store upon clicking a link. Many would simply click the back button and think nothing of it. Others might get irritated that the big box retailer is trying to steal from the small town shop. And some will have no idea what happened, but move forward and make a purchase from the big box retailer.

All along, the user experience is affected, and their perception of the infected website, and the unsuspecting advertiser, is tarnished.

Cutting off the Fraud on Infected Websites

The MosQUito exploit appears to prey on WordPress and Joomla hosted sites. As of 2014, WordPress sites accounted for 74.6 million websites worldwide and Joomla states their software has been downloaded over 30 million times.

These are two of the largest content management systems in use, typically by small companies and bloggers. As such, websites hosted on these platforms may be infected.

Here’s a static list of sources we’ve isolated as of April 15th, 2016. It’s important to note though, that this is not a complete list and will change as other sites are infected and as infected sites are cleaned.

By our assessments, few third-party traffic scoring providers have eliminated some of these sources, likely for breaking other rule sets, but many sites infected by MosQUito are still passing traffic through their systems. These website owners are unaware they have a problem and continue to obtain traffic both organically and through paid efforts. Some of this traffic is then diverted and later converted on other websites.

As a website owner, if you suspect you’ve been infected by MosQUito, this bug does leave a trail. It results in slow site speeds and can be quickly isolated in the site’s HTML markup, like seen below.

The menacing threat for unsuspecting ddvertisers

Converting sources are highly coveted traffic. Advertisers seek converting visitors and websites, and leverage those sources to optimize the effectiveness of their campaigns, often targeting specific visitor profiles.This is great in practice, but if an unsuspecting user lands on an advertiser’s website without intending to, it can lead to dangerous brand consequences.

Redirects affect the user experience and could develop unfavorable and untrustworthy brand perception. The user is left confused with how they landed on the advertiser’s page. And as nice as it is to land a converting user for an advertiser, risking your brand safety is just simply not worth it.

Likewise, the advertiser is unaware that the user was stolen from a website and redirected to their brand. They simply see a converting user coming from certain source, thereby dedicating additional budget towards that source. If advertisers have optimized campaigns around traffic from these converting sources, it’s entirely possible you’ve whitelisted performing, infected websites, thereby perpetuating the problem.

In sum, advertisers have optimized campaigns around converting traffic that their third-party traffic scoring provider has blessed as good traffic. However, these visitors have been stolen from other sites.

Keeping advertisers’ brands safe

Advertisers and their agencies are focused on finding the best sources of traffic, and optimizing accordingly. They believe they are doing the right thing based on backend metrics. However, if they look outside the box and realize how the traffic is getting to the advertiser, it is only a matter of time before the brand is blamed for stealing users away from other websites.

That said, advertisers are just as responsible for fighting ad fraud as the third parties scoring the traffic. Advertisers cannot rely solely on their third-party traffic scoring providers to keep their brands safe. It is merely a tool, not a crutch.

Educate yourself on ad fraud, how it perpetuates itself, and what indicators to look out for. Reviewing your backend analytics and data frequently will help you isolate patterns that are questionable, as well as identify quality, converting traffic.

If the brand’s goodwill is reliant upon a blessing from a third-party traffic scoring provider, ask them if they’re scanning for the MosQUito exploit. If not, they should be.

Keep in mind

Traffic sources that are infected now may be fine later, and vice versa. Your third-party traffic scoring provider should have a rule in place to account for currently infected, and newly infected, traffic sources. If you find the malicious MosQUito on sites driving traffic to your site, notify the webmaster and routinely check the traffic source.

Also, it would be quite simple for the fraudsters behind the MosQUito exploit to change the name of the script they’re using, making rulesets looking specifically for ‘jQuery.min.php’ obsolete. Therefore, it’s important to continuously review analytics and report any anomalies to your traffic providers as they happen.

Once MosQUito has been remediated completely, this website can be removed from your advertisers’ blacklist and ready to receive traffic once again.

Feature image: Erik F. Brandsborg via Flickr



Sign up to our newsletter to get the latest in digital insights. sign up

Welcome to Memeburn

Sign up to our newsletter to get the latest in digital insights.