Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:15 AM

Malware for Ad Fraud Gets More Sophisticated

Facebook says SilentFade campaign disabled notifications that could have warned users that their accounts had been compromised.

The operators of advertising fraud schemes have added persistence and the targeting of new platforms in their efforts to siphon off as much of the $125 billion online advertising market as possible, according to security and anti-fraud experts.

Last week, Facebook revealed that the company had uncovered a widespread attack on its users that had compromised accounts, gathered credentials and sessions tokens, and used the access to purchase advertisements, counterfeit and gray-market goods, and to create fake product reviews. Called SilentFade — which the company said stands for "Silently Running Facebook Ads with Exploits" — the malware infected users' systems and resulted in charges of more than $4 million, Facebook stated in its analysis.

Related Content:

Russian Hackers Run Record-Breaking Online Ad-Fraud Operation

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: CFAA 101: A Computer Fraud & Abuse Act Primer for InfoSec Pros

The campaign — which Facebook discovered in December 2018 and took action against two months later — evaded threat detection by stealing session cookies from the user and logging in from an IP address geographically close to the victim. SilentFade also disabled many of the security warnings and notifications and used an exploit to prevent the user from undoing the changes, according to the company's researchers.

The attack marks a greater sophistication for malware targeting social media, says Sanchit Karve, malware researcher for Facebook.

"Historically, the malware we've observed used social networks to spread and did not depend on them for monetization," he says. "SilentFade targeted social media services to run fraudulent ads and was the first we observed to actively target notification settings."

SilentFade is not the only major advertising-fraud operation to result in losses in the millions of dollars. In 2016, threat researchers at anti-fraud firm White Ops discovered an operation known as Methbot that garnered between $3 million and $5 million per day. Earlier this year, White Ops also disclosed a campaign where a large botnet posed as millions of smart TVs to fool advertisers into thinking that television viewers were watching their ads.

Even today, large botnets are conducting advertising fraud. The anti-fraud industry is tracking one mobile-device botnet using mobile devices that has caused in millions in damages, according to Danielle Meah, director of threat intelligence for the Trustworthy Accountability Group (TAG), a nonprofit industry initiative to stop advertising fraud.  

"Not only are the attackers adapting to the defenses being put in place, but there is a lot of creativity and ingenuity from the actors in this space," she says. "Normally, if something didn't work, they would go away. Now it is more frequent they pop up, and they try to target the same organization again."

With the digital advertising market hitting $125 billion in 2019, and set to grow 6% in 2020, the allure for fraudsters will continue.

The online advertising industry is made up a complex web of businesses, advertising networks, and media properties, which are so competitive that historically the lack of ethical practices has been problematic. In a 2018 report, for example, 44% of marketing executives did not believe that their advertising technology provider was honest and transparent. Because some firms profited from not investigating borderline practices, advertising fraud and click fraud flourished. In 2014, for example, security firm White Ops and the Association of National Advertisers found that advertising fraud caused monetized traffic to legitimate websites to increase anywhere from 5% to 50%

That's no longer the case, says Mike Zaneis, president and CEO of TAG.

"There was kind of this crime of omission, where you just kind of turned a blind eye, because if you were on the sell side, it may financially benefit you," Zaneis acknowledges. "That's not the case anymore. Because companies know ... who the bad actors are, especially on the sell side, and they don't do business with them anymore."

Yet just as the advertising ecosystem has implemented defenses, ad fraudsters are increasing the sophistication of their operations. Facebook's research, presented at VB2020 localhost, a conference for the anti-malware industry, discovered that attackers had used a bug in its system to prevent victims from undoing the malicious changes and suppress notifications. 

In addition, SilentFade stole cookies containing session tokens, which are often considered more valuable than passwords, because they are post-authentication proof that the user provided the right credentials. By using cookies instead of stealing usernames and passwords, the attackers often sidestep two-factor authentication. The cookie-stealing component of SilentFade targeted a large number of browsers, including Chrome, Opera, Internet Explorer, Edge, and others.

"With these changes, SilentFade minimized the likelihood of users noticing unrecognized activity on their accounts — preserving undetected access to compromised accounts for longer," Facebook researchers stated in their analysis.

Facebook has hardened its service against SilentFade and the group's other attacks, but stressed that other social media platforms may still be affected by the ad fraud campaign. In December 2019, the company also sued Chinese firm ILikeAd Media International and two Chinese national for developing the SilentFade malware and spreading it to victims' systems. 

Facebook will continue to pursue ad fraudsters, because users need to trust advertisers and their advertisements for the marketplace to grow, says Nathaniel Gleicher, head of security policy for the company. 

"We anticipate more platform-specific malware to appear in the future and hope to encourage closer collaboration between the antivirus industry and tech companies to strengthen our collective response against malware actors," he says.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-13
A Denial of Service due to Improper Input Validation vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially to prevent any new user connections.
PUBLISHED: 2021-05-13
A Remote Code Execution vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially cause the spreadsheet application to run commands on the victim’s local machine with t...
PUBLISHED: 2021-05-13
An Information Disclosure vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially gain access to a victim's web history.
PUBLISHED: 2021-05-13
Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "i...
PUBLISHED: 2021-05-13
SchedMD Slurm before 20.02.7 and 20.03.x through 20.11.x before 20.11.7 allows remote code execution as SlurmUser because use of a PrologSlurmctld or EpilogSlurmctld script leads to environment mishandling.