The security research team at American ISP CenturyLink have discovered that an IoT botnet is proxying traffic for an YouTube video ad fraud scheme.
Researchers made this discovery while investigating an IoT botnet known as TheMoon, which they initially began tracking after observing several CenturyLink devices performing credential brute-force attacks against popular websites.
An investigation into these devices revealed infections with the TheMoon IoT malware, and later also exposed the existence of a never-before-seen module designed to transform infected routers and IoT devices into proxies for bad traffic.
According to CenturyLink, in the past year, TheMoon botnet has been used for brute-force attacks, credential stuffing attacks, for advertising fraud, general traffic obfuscation, and more.
In a report released today, CenturyLink researchers delved deep into one of the advertising frauds they've seen carried out with TheMoon-infected devices.