A WordPress ad-fraud operation abuses a backdoored plugin named fuser-master to turn dozens of blogs into fraud machines that load and refresh ads via a hidden popunder flow triggered by a special entrypoint URL. The plugin simulates human browsing (scrolling, link clicks) while watching for real mouse movement to stop fake activity, using Google and Twitter redirects to deliver the fraudulent sequence behind the scenes. hashtags: #fuser-master #momplaybook
Keypoints
- About 50 WordPress blogs were backdoored with the fuser-master plugin.
- A blog in January logged about 3.8 million visits, with an average duration of ~25 minutes and ~17 pages per visit.
- The plugin is triggered via popunder traffic from a large ad network.
- The blogs load in a separate window under the current one and display multiple ads.
- JavaScript in the plugin mimics human activity (scrolling, clicking) to generate invalid traffic.
- The code monitors for real mouse movement and halts fake scrolling when activity is detected.
MITRE Techniques
- [T1059.007] JavaScript β Brief description of how it was used. Quote: βThe plugin contains JavaScript code that mimics the activity of a real visitor: scrolls the page, clicks on links, etc.β
- [T1071.001] Web Protocols β Brief description of how it was used. Quote: βThe fraudsters are using open redirects from Google and Twitter in an interesting way.β
- [T1562.001] Impair Defenses β Brief description of how it was used. Quote: βanti-debugging code that they used.β
Indicators of Compromise
- [Domain] Ad fraud indicators β momplaybook[.]com, geekextreme[.]com, and other domains
- [URL] Entry point used to trigger fraud β /wp-content/plugins/fuser-master/entrypoint.php? (parameters e, Iptoken, websiteid, geo)