The operators of advertising fraud schemes have added persistence and the targeting of new platforms in their efforts to siphon off as much of the $125 billion online advertising market as possible, according to security and anti-fraud experts.
Last week, Facebook revealed that the company had uncovered a widespread attack on its users that had compromised accounts, gathered credentials and sessions tokens, and used the access to purchase advertisements, counterfeit and gray-market goods, and to create fake product reviews. Called SilentFade — which the company said stands for "Silently Running Facebook Ads with Exploits" — the malware infected users' systems and resulted in charges of more than $4 million, Facebook stated in its analysis.
The campaign — which Facebook discovered in December 2018 and took action against two months later — evaded threat detection by stealing session cookies from the user and logging in from an IP address geographically close to the victim. SilentFade also disabled many of the security warnings and notifications and used an exploit to prevent the user from undoing the changes, according to the company's researchers.
The attack marks a greater sophistication for malware targeting social media, says Sanchit Karve, malware researcher for Facebook.
"Historically, the malware we've observed used social networks to spread and did not depend on them for monetization," he says. "SilentFade targeted social media services to run fraudulent ads and was the first we observed to actively target notification settings."
SilentFade is not the only major advertising-fraud operation to result in losses in the millions of dollars. In 2016, threat researchers at anti-fraud firm White Ops discovered an operation known as Methbot that garnered between $3 million and $5 million per day. Earlier this year, White Ops also disclosed a campaign where a large botnet posed as millions of smart TVs to fool advertisers into thinking that television viewers were watching their ads.
Even today, large botnets are conducting advertising fraud. The anti-fraud industry is tracking one mobile-device botnet using mobile devices that has caused in millions in damages, according to Danielle Meah, director of threat intelligence for the Trustworthy Accountability Group (TAG), a nonprofit industry initiative to stop advertising fraud.
"Not only are the attackers adapting to the defenses being put in place, but there is a lot of creativity and ingenuity from the actors in this space," she says. "Normally, if something didn't work, they would go away. Now it is more frequent they pop up, and they try to target the same organization again."
The online advertising industry is made up a complex web of businesses, advertising networks, and media properties, which are so competitive that historically the lack of ethical practices has been problematic. In a 2018 report, for example, 44% of marketing executives did not believe that their advertising technology provider was honest and transparent. Because some firms profited from not investigating borderline practices, advertising fraud and click fraud flourished. In 2014, for example, security firm White Ops and the Association of National Advertisers found that advertising fraud caused monetized traffic to legitimate websites to increase anywhere from 5% to 50%.
That's no longer the case, says Mike Zaneis, president and CEO of TAG.
"There was kind of this crime of omission, where you just kind of turned a blind eye, because if you were on the sell side, it may financially benefit you," Zaneis acknowledges. "That's not the case anymore. Because companies know ... who the bad actors are, especially on the sell side, and they don't do business with them anymore."
Yet just as the advertising ecosystem has implemented defenses, ad fraudsters are increasing the sophistication of their operations. Facebook's research, presented at VB2020 localhost, a conference for the anti-malware industry, discovered that attackers had used a bug in its system to prevent victims from undoing the malicious changes and suppress notifications.
In addition, SilentFade stole cookies containing session tokens, which are often considered more valuable than passwords, because they are post-authentication proof that the user provided the right credentials. By using cookies instead of stealing usernames and passwords, the attackers often sidestep two-factor authentication. The cookie-stealing component of SilentFade targeted a large number of browsers, including Chrome, Opera, Internet Explorer, Edge, and others.
"With these changes, SilentFade minimized the likelihood of users noticing unrecognized activity on their accounts — preserving undetected access to compromised accounts for longer," Facebook researchers stated in their analysis.
Facebook has hardened its service against SilentFade and the group's other attacks, but stressed that other social media platforms may still be affected by the ad fraud campaign. In December 2019, the company also sued Chinese firm ILikeAd Media International and two Chinese national for developing the SilentFade malware and spreading it to victims' systems.
Facebook will continue to pursue ad fraudsters, because users need to trust advertisers and their advertisements for the marketplace to grow, says Nathaniel Gleicher, head of security policy for the company.
"We anticipate more platform-specific malware to appear in the future and hope to encourage closer collaboration between the antivirus industry and tech companies to strengthen our collective response against malware actors," he says.