Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:15 AM

Malware for Ad Fraud Gets More Sophisticated

Facebook says SilentFade campaign disabled notifications that could have warned users that their accounts had been compromised.

The operators of advertising fraud schemes have added persistence and the targeting of new platforms in their efforts to siphon off as much of the $125 billion online advertising market as possible, according to security and anti-fraud experts.

Last week, Facebook revealed that the company had uncovered a widespread attack on its users that had compromised accounts, gathered credentials and sessions tokens, and used the access to purchase advertisements, counterfeit and gray-market goods, and to create fake product reviews. Called SilentFade — which the company said stands for "Silently Running Facebook Ads with Exploits" — the malware infected users' systems and resulted in charges of more than $4 million, Facebook stated in its analysis.

Related Content:

Russian Hackers Run Record-Breaking Online Ad-Fraud Operation

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: CFAA 101: A Computer Fraud & Abuse Act Primer for InfoSec Pros

The campaign — which Facebook discovered in December 2018 and took action against two months later — evaded threat detection by stealing session cookies from the user and logging in from an IP address geographically close to the victim. SilentFade also disabled many of the security warnings and notifications and used an exploit to prevent the user from undoing the changes, according to the company's researchers.

The attack marks a greater sophistication for malware targeting social media, says Sanchit Karve, malware researcher for Facebook.

"Historically, the malware we've observed used social networks to spread and did not depend on them for monetization," he says. "SilentFade targeted social media services to run fraudulent ads and was the first we observed to actively target notification settings."

SilentFade is not the only major advertising-fraud operation to result in losses in the millions of dollars. In 2016, threat researchers at anti-fraud firm White Ops discovered an operation known as Methbot that garnered between $3 million and $5 million per day. Earlier this year, White Ops also disclosed a campaign where a large botnet posed as millions of smart TVs to fool advertisers into thinking that television viewers were watching their ads.

Even today, large botnets are conducting advertising fraud. The anti-fraud industry is tracking one mobile-device botnet using mobile devices that has caused in millions in damages, according to Danielle Meah, director of threat intelligence for the Trustworthy Accountability Group (TAG), a nonprofit industry initiative to stop advertising fraud.  

"Not only are the attackers adapting to the defenses being put in place, but there is a lot of creativity and ingenuity from the actors in this space," she says. "Normally, if something didn't work, they would go away. Now it is more frequent they pop up, and they try to target the same organization again."

With the digital advertising market hitting $125 billion in 2019, and set to grow 6% in 2020, the allure for fraudsters will continue.

The online advertising industry is made up a complex web of businesses, advertising networks, and media properties, which are so competitive that historically the lack of ethical practices has been problematic. In a 2018 report, for example, 44% of marketing executives did not believe that their advertising technology provider was honest and transparent. Because some firms profited from not investigating borderline practices, advertising fraud and click fraud flourished. In 2014, for example, security firm White Ops and the Association of National Advertisers found that advertising fraud caused monetized traffic to legitimate websites to increase anywhere from 5% to 50%

That's no longer the case, says Mike Zaneis, president and CEO of TAG.

"There was kind of this crime of omission, where you just kind of turned a blind eye, because if you were on the sell side, it may financially benefit you," Zaneis acknowledges. "That's not the case anymore. Because companies know ... who the bad actors are, especially on the sell side, and they don't do business with them anymore."

Yet just as the advertising ecosystem has implemented defenses, ad fraudsters are increasing the sophistication of their operations. Facebook's research, presented at VB2020 localhost, a conference for the anti-malware industry, discovered that attackers had used a bug in its system to prevent victims from undoing the malicious changes and suppress notifications. 

In addition, SilentFade stole cookies containing session tokens, which are often considered more valuable than passwords, because they are post-authentication proof that the user provided the right credentials. By using cookies instead of stealing usernames and passwords, the attackers often sidestep two-factor authentication. The cookie-stealing component of SilentFade targeted a large number of browsers, including Chrome, Opera, Internet Explorer, Edge, and others.

"With these changes, SilentFade minimized the likelihood of users noticing unrecognized activity on their accounts — preserving undetected access to compromised accounts for longer," Facebook researchers stated in their analysis.

Facebook has hardened its service against SilentFade and the group's other attacks, but stressed that other social media platforms may still be affected by the ad fraud campaign. In December 2019, the company also sued Chinese firm ILikeAd Media International and two Chinese national for developing the SilentFade malware and spreading it to victims' systems. 

Facebook will continue to pursue ad fraudsters, because users need to trust advertisers and their advertisements for the marketplace to grow, says Nathaniel Gleicher, head of security policy for the company. 

"We anticipate more platform-specific malware to appear in the future and hope to encourage closer collaboration between the antivirus industry and tech companies to strengthen our collective response against malware actors," he says.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-28
NeoPost Mail Accounting Software Pro 5.0.6 allows php/Commun/FUS_SCM_BlockStart.php?code= XSS.
PUBLISHED: 2020-10-28
osCommerce Phoenix CE before allows admin/define_language.php CSRF.
PUBLISHED: 2020-10-28
osCommerce Phoenix CE before allows OS command injection remotely. Within admin/mail.php, a from POST parameter can be passed to the application. This affects the PHP mail function, and the sendmail -f option.
PUBLISHED: 2020-10-28
Shibboleth Identify Provider 3.x before 3.4.6 has a denial of service flaw. A remote unauthenticated attacker can cause a login flow to trigger Java heap exhaustion due to the creation of objects in the Java Servlet container session.
PUBLISHED: 2020-10-28
The Snap7 server component in version 1.4.1, when an attacker sends a crafted packet with COTP protocol the last-data-unit flag set to No and S7 writes a var function, the Snap7 server will be crashed.