Saturday, May 30, 2020

REPORT: Huge Criminal Ring Found to Be Behind Billions of Fraudulent Ads on Major Networks

Must read

Tune to Merge with Cake Software in Major Purchase

Publicly-traded Toronto-based company Constellation Software has announced the acquisition of Seattle SaaS company Tune. Founded 11 years ago, Tune...

Why You Must Have Affiliate Program Audits

Whether you’ve been running an affiliate program for 10 years, or 10 months, regular auditing is an essential aspect of maintaining a successful affiliate...

Payment Processor and Executive to Pay Millions to Settle FTC Allegations of Assisting in Fraudulent Schemes and Credit Card Laundering

According to the Federal Trade Commission, one of the world’s leading payment processing companies and its former executive will pay more than...

Feds Go After Israeli Crypto Marketing Scam

Tal Valariola and Itay Barak of Digital Platinum Limited for aiding the United States-based firm All In Publishing Charged.
Pesach Lattin
Pesach Lattinhttp://pacevegas.com
Pesach "Pace" Lattin is one of the top experts in interactive advertising, affiliate marketing. Pace Lattin is known for his dedication to ethics in marketing, and focus on compliance and fraud in the industry, and has written numerous articles for publications from MediaPost, ClickZ, ADOTAS and his own blogs.

A massive malvertising operation bought an estimated 1 billion ad views in 2017 under the guise of 28 different fake ad agencies, in what a new report is calling the largest operation of its kind last year.

The malvertising juggernaut – a sort of malicious conglomerate, if you will – reached 62 percent of ad-monetized websites on a weekly basis, notes the report, written by Jerome Dangu, cofounder and CTO of online ad security company Confiant, which dubbed the actor the Zirconium group.

It also reached every single ad network it seems, including Engage:BDR and DoubleClick.

Zirconium’s primary method of attack in 2017 was forced redirects, whereby users who visit a website compromised by malvertisements are involuntarily redirected to one or more malicious websites, often for the purpose of affiliate fraud or possibly malware infection via fake updates and scareware tactics.

By having more than two dozen fake ad agencies posing as a front, Zirconium has been able to conduct large volumes of business with legitimate ad platforms in piecemeal fashion, thus avoiding suspicion while also ensuring continued business in the event one of these phony agencies is ever exposed.

Dangu reports that Zirconium took painstaking efforts to make sure each of its fraudulent ad agencies looks like a legitimate independent business, distinct from all the others. Indeed, each faux agency has its own unique online and social media presence that includes fake CEO listings on LinkedIn, stock business photos, social media posts (generated by bots), and unique online content. Moreover, each one is operated via separate, independent technical infrastructures and uses unique ad-serving code.

Most of these fake branded companies were created in February 2017 and subsequently launched in March and April of that year. Eight of the 28 phony brands remain unused – likely waiting to be activated as the other agencies peter out or get banned.

“Zirconium was extremely successful at replicating the ‘small business’ ad agency style. The attackers successfully built direct business relationships with as many as 16 ad platforms,” Dangu reports. “Leveraging a swarm of fake ad agencies gives a strong justification for running custom ad servers, a critical part of the scheme because it allows for JavaScript execution on websites running ads.”

According to Confiant, the scheme typically works as follows: When web users visit a website plagued with Zirconum malvertising, the redirection chain commences via the online domain for the mobile ad platform Beginads.com. This domain acts as a central gateway and traffic direction system to reroute visitors to a Zirconium site called MyAdsBro, through which other black hats can also direct traffic, for a fee. Visitors are next redirected to a landing page, which is not operated by Zirconium. Instead, the actors reportedly resell the redirected traffic to various affiliate marketing platforms.

In an email to The Register, Confiant chief technology officer and cofounder Jerome Dangu said his biz came up with name Zirconium as a riff on the diamond-themed name of the shell company at the heart of the campaign.

“Typical established malvertising groups, like the Kovter Group, operate sporadically, running highly evasive campaigns for a few days and then disappearing,” he said. “Zirconium was live for the whole year, running campaigns on multiple tier-one ad platforms at once.”

Dangu notes that as of October 2017, the Zirconium actors began employing fingerprinting techniques to collect data on users’ browsers and devices in order to avoid redirecting any machines that are likely used by security professionals.

Confiant also reports that the legal entity representing Zirconium’s interests is Cape Diamond LP, a shell company incorporated in Scotland, with partners in the Seychelles (Damitra Group LTD and Lamen Business LTD). The cybersecurity firm notes that the offshore companies are known to be “extensively involved in online fraud activities, some of which [are] cryptocurrency-related.”

“The Zirconium business model is capital intensive and it makes sense that they would need to shield themselves behind an opaque offshore corporate structure,” Dangu concludes.

At some point on Tuesday or shortly thereafter, Google is scheduled to release Chrome 64 to its stable channel, bringing with it an unorthodox defense against the Zirconium group’s favored attack technique “forced redirects,” in which ads make browsers open unwanted websites.

“Under the hood, [the attack technique] is as simple as top.window.location = 'http://malicious...' but there are variations like an <a target="_top">link that gets clicked automatically in JavaScript,” explained Dangu. “To protect this code from detection, malvertisers rely heavily on evasion techniques like JavaScript fingerprinting.”

The goal of fingerprinting is to separate potential victims from security researchers and bots and other automated systems trying to detect malicious activity.

Malvertising is getting worse. “Chrome’s change is a direct reaction to the deterioration of the security environment for ad monetized websites,” he said.

- Advertisement -

More articles

What's your opinion?

- Advertisement -

Latest article

Tune to Merge with Cake Software in Major Purchase

Publicly-traded Toronto-based company Constellation Software has announced the acquisition of Seattle SaaS company Tune. Founded 11 years ago, Tune...

Why You Must Have Affiliate Program Audits

Whether you’ve been running an affiliate program for 10 years, or 10 months, regular auditing is an essential aspect of maintaining a successful affiliate...

Payment Processor and Executive to Pay Millions to Settle FTC Allegations of Assisting in Fraudulent Schemes and Credit Card Laundering

According to the Federal Trade Commission, one of the world’s leading payment processing companies and its former executive will pay more than...

Feds Go After Israeli Crypto Marketing Scam

Tal Valariola and Itay Barak of Digital Platinum Limited for aiding the United States-based firm All In Publishing Charged.

How to Win Affiliate Marketing During Covid19

As Covid-19 disrupts “business as usual” and impacts consumer behavior around the world, companies of all shapes and sizes are discovering they...