The interesting thing about ad fraud is the people that lose have no ability to police the problem. Ad networks get paid for fraud. Intelligent ad buyers that use cost-per-acquisition targeting, don't care because they just bid lower if the traffic is a mix of fraud.
The losers are unsophisticated ad buyers such as the brand advertisers that use ad agencies to fill their ads with garbage traffic. Proctor and Gamble has recently figured that internet display is pretty much worthless. The other losers are legit publishers. I am perfectly happy to pay $0.50 a click with half the traffic being fraud, as I am willing to pay $1.00 a click for legit traffic from legit publishers. I get the same result, buy my money gets split 50/50 between legit publishers and crooks.
I am mostly a dev, but have bought more than $1M in advertising on multiple platforms. The biggest joke I have ever seen was AppNexus. It was like 70% or more fraud, and it was the most obvious crap imaginable. For instance, all clicks coming from 8 month old user agents for evergreen browsers.
Google Adwords and Double Click have been mostly clean. I'd say 85-90%. I do see stuff that is obvious bullshit from time to time, and it goes away pretty quickly and but Google doesn't refund the money. I don't really care... they make it so we can police it pretty well. Facebook ads are completely clean, but they don't run a network.
The simple rule for picking a ad platform is: if it isn't loaded with performance advertisers (CPA), then stay the hell away.
While I agree on the mostly non-existent fraud[1] for ad views on the Facebook, Instagram, and Messenger properties direction, they actually do run a network now[2]. I can't find any information about how it handles ad views when it can't identify the end user. If they don't display an ad then it's likely as robust as the on-property views. But if it shows ads, then it probably introduces the same level of fraud as you see on AdWords.
[1] Fraud free doesn't mean bullshit free. They tend to be very liberal with how they calculate billable events from user interactions.
Ad networks value proposition is give us money and an ad and your revenue will rise. If there's fraud that just dilutes the effectiveness of the proposition. Eventually poor quality networks die in the same way that the market winnows fertilizer etc. There is no free lunch
Assumes attribution, which is a hard problem. If I can't measure whether a digital ad campaign (in your case) increased revenue than I can't select for best performing network. Attribution is also gamed and complex (last click, cookie stuffing, modeled, outright fraud, etc)
I agree. It means that all roads lead to Google. The network size is advantage enough, and the ability to detect fraud is the cherry on top. Having a ton of exclusion data from advertisers is damn near impossible to replicate.
The most interesting part for me:
"Furthermore, the defendants leased more than 650,000 Internet Protocol (“IP”) addresses, assigned multiple IP addresses to each datacenter server, and then fraudulently registered those IP addresses to make it appear that that the datacenter servers were residential computers belonging to individual human internet users who were subscribed to various residential internet service providers."
Scamming at that level requires so much skill and hard work that you have to wonder why they don't start a legitimate business to make more money with less risk? I suppose for some it's just for the thrill.
I think because it’s a different type of risk. With your own business the risk is that you fail and don’t make money. With a scam you can make a bunch of money for a long time before the risk of being caught ramps up. You’re quickly (relatively) rewarded instead of agonizing over whether or not you will be.
Well, they all live in Kazakhstan and Russia. It may not be so easy to convert talent into legitimate business success, particularly when "cybercrime" (god I hate that word) is often encouraged in places like Russia so long as it targets non-Russians.
I don't think people in civilized countries even remotely understand the level of desperation poorer people from those countries go through. VICE's documentary about krokodil is actually quite good. Except when people watch it they think it's about someone particularly far away from the average - but it's not.
The chance of getting a visa to move out or starting a business, which can only be oriented towards civilized countries if you'd like to make any money at all... Is particularly low.
IT is one of those areas which you can still learn particularly well without any access to textbooks or academia.
Same question for guys running botting shops on level that even Google and Co. can detect (ones who keep cracking the latest captchas, run custom VMs for evading JS performance profiling, and etc)
I guess, they have one thing in common, a lot never ever thought of traveling abroad. While some people I knew in that scene 10+ years ago had perfect English, in their mind "the abroad" is such a distant place, and obscure place that they think is totally beyond their reach, that they don't even bother toying with an idea of moving abroad.
And also notice, the guys indicted are rather old, and probably were in the scene since the era of first internet ads companies, and doing ad fraud long before even google was a thing
I have a friend who's in jail for ~14 years now after hitting a third strike law with a fraud of ~ 30 million dollars.
Long story short, he did it because he was really good at it and got better over time. You don't knock something like this out without having done a lot of smaller stuff first, and by the time you get to this level of skill and sophistication, it's because it's easier to do this, and the skills you've built up don't apply well to real world jobs, or if they do at all, they don't pay nearly as much as you can get paid by running the scam, and with all that skill and experience, the risk of getting caught does go down quite a bit.
Going back to 2005 or so leasing and announcing entire CIDR prefixes was pretty popular for spammers.
A /19 would run you about 8k/m and I assume maxmind updates are included in the cost.
I have no citation for this, but SORBS and friends blacklisted /24 by default. If you had enough servers you could send enough email to turn a profit before your /24 was blacklisted. Only until you got to SORBS level 3 was your prefix blocked. Of course they would delist you for 2000/day.
1. You don't feel like offensive hacker while running legitimate business.
2. Legitimate business requires more than just talent! If you don't know people in power, don't have the required connections, good luck getting necessary permits etc..
3. Starting capital due to compliance requirements is much higher! It pretty much excludes everyone who isn't coming from an Ivy league.
4. There is a very high probability that even if you've all the resources you might fail.
5. Government officials might as well take over your company anytime. (In former Soviet countries and corrupt third world countries, government officals do takeovers your business)
Simply money, isn't enough in itself. VCs also bring top level connections, including people who will serve as executives in future with intimate connection to Goverment.
These guys don't have anything else other than cheap labor (which will do anything provided it doesn't have to do with messing with the authorities of the countries they are living in) and their own skill.
Haha,this is kovter. It's a slick malware,always found the infection interesting. It's fileless and uses javascript to start mshta which executes powershell from the registry and so on. It was one of my favs, happy-sad they took it down.
Who is the audience for this paper? It reads as if parts of the analysis were by someone technically proficient, and others are by someone without a technical background.
Eg. "We observed that when the malware created the new desktop, it didn’t create a new
instance of explorer.exe. This meant that an analyst wouldn’t be able to easily access their tools, because there wouldn’t
be a way to create processes on this desktop due to the absence of a running instance of Explorer."
Is there any malware which creates a new explorer instance on a hidden desktop? Were you hoping to call CreateDesktopExW() and then SwitchDesktop() and just click the start button and open up a screen recorder app? Yet if you wanted to do this, you could easily call CreateProcess() with the lpDesktop pointer set to the hidden desktop to start your tools there...
I don't think it's being published. The snippets in the paper were obtained from process memory dumps by folks reversing the malware, so we don't really have a good clean copy - just fragments.
Interesting. Well if it ever gets published would love to see it! We have our own js to help us model 'unique voters reached' and as one piece of fraud reduction toolset (in addition to 3rd party providers). The given example in pdf (maxchannelcount) is actually one piece of entropy we collect.
Now I'm thinking through this example,I'm going to try and test for these monkey patched methods (not sure if can do it, but maybe md5(toSting) compare to major browser native hashes?).
Sounds like you work for a verification vendor, if so have you had success with detecting these 'monkey patches'?
I work for White Ops, which could reasonably be considered a verification vendor, though we prefer to be known as a security company.
As you can imagine, specific techniques used for detecting fraudulent monkey patching (or even whether we attempt to do so) aren't generally something I can talk about.
That said, there are a few slides about the cat-and-mouse games of .toString() here (starting about page 20): https://rya.nc/shmoo17 [PDF]
In short, using .toString() will find naive monkey patches, however it can be overridden to varying degrees of cleverness.
Of course they already thought of that lol. I really love the cleverness of this 'game.' I probably spend far too much time tinkering with our own js measurement script for how small we are but it's kind of addictingly fun.
Are you involved with sales or just engineering? My work email is in my profile I might drop you a note though I am just guessing your product is too expensive for our clients (mostly political campaigns).
I'm a researcher - I don't actually see your email in your profile, you have to include it in the about text if you want it to be seen. I can put you in touch with the right person in sales if you contact me (my personal email is publicly visible).
"Ad Network #1 rented more than 1,900 computer servers housed in commercial datacenters in Dallas...spoofing more than 5,000 domains...leased more than 650,000 IP addresses...$7 million in ad fraud"
"Ad Network #2 carried out another digital ad fraud scheme...botnet...more than 1.7 million infected computers...download fabricated webpages...$29 million in ad fraud"
Using your malware botnet to click on fake ads and generate 27mln in actual ad rev is pretty damn crafty.
Only part I'm unclear on is whether they were actually operating the network/marketplace, or just falsifying the publisher and user parts of it. Sounds like the latter, in which case, I wonder which ad networks got gamed.
What impresses me is that three of them have already been arrested in various countries, I wouldn't have expected such effective international cooperation between intelligence/police services considering the countries they were arrested in aren't exactly closely tied to the US
The cynic in me says that this is because they weren't just hurting the interests of the U.S. government - they were hurting the interests of the largest mega-corporations on the planet.
As usual you with russian suspects they wait until they travel outside of Russia and get them then. I imagine the other suspects won't be leaving Russia anytime soon.
It depends: you need to rely on an IoC to notice a piece of malware. This is typically a signature, a direct communication with a known C2 or a malicious URLs, a hash, ... Beyond the most simple techniques, I'd mention traffic monitoring and analysis (especially traffic flow analysis) and behavioural analysis.
That bit will already be sewn up. They would not arrest if they didn't think they could extradite, they would wait until their next holiday and grab them there.
you mean you want to know if advertising fraud is a crime in those countries and the us agencies will work with the agencies overseas? extradiction is the circus for the media and to please the lynching calling folks, not the justice.
> This kind of exploitation undermines confidence in the system, on the part of both companies and their customers,” stated FBI Assistant Director-in-Charge Sweeney.
Haha! What on Earth is "the system"?! Did he really say that? Bad criminals spoiling our nice advertising system.
It's defined in the second paragraph: "The FBI, working with private sector partners, redirected the internet traffic going to the domains (an action known as “sinkholing”) in order to disrupt and dismantle these botnets."
Actually they get routed to servers operated by security companies that log incoming connections. This information is then shared with internet providers and corporations to help disinfect the end users machines that are trying to coordinate with the botnet.
Do they call up customers telling them their computer has been infected with a virus? I am suddenly terrified that some non-zero percentage of those spam calls may actually be legit, and that I may need to treat every one of them as authentic (until they ask for teamviewer).
The losers are unsophisticated ad buyers such as the brand advertisers that use ad agencies to fill their ads with garbage traffic. Proctor and Gamble has recently figured that internet display is pretty much worthless. The other losers are legit publishers. I am perfectly happy to pay $0.50 a click with half the traffic being fraud, as I am willing to pay $1.00 a click for legit traffic from legit publishers. I get the same result, buy my money gets split 50/50 between legit publishers and crooks.
I am mostly a dev, but have bought more than $1M in advertising on multiple platforms. The biggest joke I have ever seen was AppNexus. It was like 70% or more fraud, and it was the most obvious crap imaginable. For instance, all clicks coming from 8 month old user agents for evergreen browsers.
Google Adwords and Double Click have been mostly clean. I'd say 85-90%. I do see stuff that is obvious bullshit from time to time, and it goes away pretty quickly and but Google doesn't refund the money. I don't really care... they make it so we can police it pretty well. Facebook ads are completely clean, but they don't run a network.
The simple rule for picking a ad platform is: if it isn't loaded with performance advertisers (CPA), then stay the hell away.