How Ad Networks are Being Used for Scamvertising
The Internet age has shown us a myriad of online scams, from get rich quick schemes to winning the lottery, typically originating via an email hook. This is a blind way of distributing scams, since scammers have no way of knowing if the scam is relevant to the person they are trying to lure. For example, a scammer might send a Lotto scam in a country where there is no Lotto. This has changed; scammers now have access to online advertising networks, which have proven to be very powerful targeting tools because of the vast amount of demographic and web usage behavioral information they possess about real people.
What is an Ad Network?
Ad Networks sell inventory, or advertising space on web pages offered by web publishers like CNN, the Wall Street Journal and even blogs. They package inventory based on consumers’ demographic information, then sell it on behalf of publishers to advertisers, commonly at a CPM (Cost-per-thousand impressions) model. This allows Advertisers to gain access to a diverse set of publisher sites on which they can then push highly targeted and relevant ads to consumers.
As such, this makes Ad Networks perfect distribution points for scamvertising and other potentially fraudulent activities. Ad Networks provide the reach and the targeting capabilities to easily and more efficiently target victims. In this article, we provide evidence of this trend.
Our investigation began as a result of an unrelated project. As part of zveloLABS’ ongoing focus on ad fraud and non-human traffic research and detection, we were analyzing malware behavior. The actual malware was called Poweliks. What piqued our interest is what we found during our analysis of the traffic.
Based on the traffic, Poweliks was definitely exhibiting click fraud type of behavior. Noticeable in the screenshot (image 1) is the typical recipe for several of the most recent click fraud types of malware: use of low quality search sites to launder traffic and then the use of intermediaries to redirect to an advertiser’s landing pages. These intermediaries are Ad Networks.
The search websites detected are created in bulk for laundering non-human or fraudulent traffic. In this scenario, an Advertiser’s web referrers would be the search sites instead of the infected machines, meaning that the true traffic source would remain unknown.
For example, we found many of these sites with the exact same web templates, IPs and registration information (see image 2).
The malware typically sends a search query to one of the search sites. The search site then provides a result (an Ad), which then points to an advertiser’s landing page. In click fraud, malware generates a “click.” Clicks are then charged to advertisers commonly at a cost-per-click (CPC) model. CPCs range between a few cents to a few dollars, and can blow up Advertiser budgets real quick.
The Ad Network and Scams
This is where it gets interesting. As stated, once the ad is clicked, it redirects to the advertiser’s landing page through a series of intermediaries, one of which is an Ad Network. In one of the examples we saw, the laundry search site provided this link:
The link rotates and points to various sites seemingly through the AdCash Ad Network (image 4).
When we followed the ads served by the AdCash, we were quite surprised that the network appeared to be serving potentially fraudulent scam websites.
Since we utilized a Philippine IP address to crawl through the Ad Network’s links, we got scams targeted to Philippine residents. Scammers surprisingly took the time and effort to tailor campaigns to this demographic.
The capability of Ad Networks to target the right audiences combined with the local theme, presentation and even vernacular found on the websites, this whole setup makes for very convincing scam campaigns. Following are a few examples of scam websites identified.
Work From Home Scams – this appears to be an Internet scam to lead people to buy a work from home kit (image 5). Note how the article has a very specific locale and target (Philippines).
Different Version – here’s the same scam but presented differently. Scammers leverage local media outlets (image 6).
Facebook Fortunes – the scam begins with articles focusing on Philippine residents and even includes pictures of checks from local Philippine banks. Scammers are asking people to pay around $160-180 USD for a work from home kit that will allow them to make just as much, or more, money. Obviously, no kit is ever delivered. In some cases, it has been reported that they charge credit cards without consent. $257 USD per day may not be much, but considering that the minimum daily wage in the Philippines is only about $10 USD/day, it can be eye candy for many.
Gift Certificate Scams – some of the retail outlets mentioned (image 8) have already warned their customers about these fraudulent sites. Again, this scam web page is very locale specific and therefore must require the demographic targeting information provided by the Ad Network in order to be effective.
Rewards Scam – this site (image 9) is actually hosted in the same IP as the rewards-ph.com so it’s probably the same scammers. Additional research shows that this is related to “Planet 49,” which is under investigation in some countries. This web page uses local vernacular at the top, in addition to specific local Philippine retailers. Had we used a US-based IP address we would have likely seen US retailers.
Lotto Scam – it appears that this particular claim form (image 10) has been reported as fraudulent. Scammers promise “winnings” but victims need to pay fees for delivery, insurance, and taxes first. How convenient.
Green Card Lottery Scam – multiple fraud reports have already been documented for this green card lottery scam (image 11) and in some cases people have reported losing in excess of $1,000 USD.
IE Survey Scam – an IE survey to win a Mac (image 12)? Very little information was available but it is obviously not a Microsoft IE survey.
Computer Repair Scam – freezes your browser due to the continuous pop-ups (image 13). According to multiple reports, the number connects you to a sales person who will attempt to get you to install a rogue AV and a browser adware extension.
Spam, Adware and Malware
We decided to run the various Ad Network links through our malicious detection engine to identify other potentially suspicious websites. Our results identified multiple spam and adware sites being served.
SMS Spam – interestingly enough, WhatsChat (image 14) is real but in this case the “entertainment-factory” URL distributes SMS spam, popups and adware. Note that the carrier is also locale specific.
Mobile Apps – this similarly appears to be a mechanism for SMS spam (image 15). It appears one has to pay a subscription fee. The “landing.entertainment-factory.com” URL in general has a very low reputation and it appears to employ highly invasive spamming techniques.
Browser Hijacker – this infects various Internet browsers. It has been reported as a malicious website (image 16) by multiple anti-virus software solutions. Interestingly, it appears to utilize multiple, incremental domains (e.g. safedownloadsrus104, safedownloadsrus107, safedownloadsrus109 and so on).
Adware – launches new browser windows or tabs to show banner ads (image 17).
Malicious Websites – some of the landing pages detected (image 18) attempt to serve a Trojan to the user.
Download Attempt – this malicious website (image 19) does not even show any content, but rather attempts to download an executable file right away.
Drive by Download – some sites (image 20) download the executables to the user’s machine immediately without their permission. This is known as a drive by download.
And it appears like this is just the tip of the iceberg as we were served with a lot more low quality, malicious websites (image 21).
It’s a Jungle Out There
During the course of our research, it was interesting to witness a real Ad Network being utilized to deliver scams, spam, adware and other low quality and suspicious sites to a wide and highly targeted audience. More concerning was the realization that fraudulent and scam sites could actually hurt people emotionally and/or financially.
AdCash is a fairly large advertising network. It ranks in the Alexa Top 500 websites, and delivers content to hundreds of millions of unique visitors per day through an estimated 100,000+ websites and mobile applications. With such a vast reach, imagine the number of victims scammers can reach instantaneously.
Our research led us to ask if Ad Networks should be held responsible for policing their advertisers. Some of the Advertisers, in this case after all, are scammers. What about other mediums? If a TV network runs an ad for a pyramid scam, for example, would the TV network be liable for any damages that may ensue? This is a very grey area, but in our opinion, some form of due diligence should be conducted by the Ad Network. We suggest two solutions.
More In-depth Vetting of the Advertisers
How easy is it to advertise via an Ad Network? There are many ways but sometimes it’s as simple as filling out an online form along with a small monetary investment. In most cases, there is little, if any, vetting of Advertisers or their ad campaigns.
Understandably, the core business of Ad Networks is to make money from connecting ad units placed on publisher websites to relevant audiences, so vetting advertisers is probably a low priority. There should at least be some due diligence in the part of Ad Networks to ensure that their Advertisers are not fraudulent, like more in-depth background checks and auditing of ad units and landing pages.
Auditing of Advertiser Landing Pages
In digital advertising, heavy focus is placed on the quality of publisher websites. How much traffic do they get? How visible are the actual ad placements (header, sidebar, in-line with web page text, etc.)? What’s usually overlooked is the quality of the Advertiser. Ad Networks should audit both the ads and the Advertisers’ landing pages to identify scams, adware and malicious sites and objects. In this study, we simply ran the Advertiser landing pages through our malicious detection engine and were able to detect fraudulent, adware and malware sites without much effort (image 22).
Our detection service can “audit” an Ad Network’s inventory (the URLs where the ads point to) to identify malware, adware, phishing and other malicious websites, and can even help with the detection of non-human or bot generated traffic. Also of value would be the ability to detect porn, violence, hate, and other inappropriate content to help package and sell brand safe inventory.
The ad ecosystem is extremely complex. There are many players and transparency is difficult to provide. Increased transparency is in high demand, especially from legitimate Advertisers that continue to lose credibility, customers and billions of dollars in revenue due to scamvertising and the laundering of non-human and bot generated traffic. We reached out to AdCash and notified them of our findings, and would welcome the opportunity to help them, and any ad network for that matter, clean up their ad inventory. To be fair, our research and analysis is not a bash against AdCash, but is intended more to boost awareness about how Ad Networks are being exploited to disseminate spam, scams, malware, viruses and other web threats.
Lastly, the fault does not fall entirely on Ad Networks. End users ultimately bear the final responsibility whether they fall victim to a scam or not. Websites and offers behind an ad campaign are not always trustworthy.