Schneier on Security
A blog covering security and security technology.
« Portrait of a Counterfeiter |
| Racism as a Vestigal Remnant of a Security Mechanism »
May 22, 2012
Security Incentives and Advertising Fraud
Details are in the article, but here's the general idea:
Let's follow the flow of the users:
- Scammer buys user traffic from PornoXo.com and sends it to HQTubeVideos.
- HQTubeVideos loads, in invisible iframes, some parked domains with innocent-sounding names (relaxhealth.com, etc).
- In the parked domains, ad networks serve display and PPC ads.
- The click-fraud sites click on the ads that appear within the parked domains.
- The legitimate publishers gets invisible/fraudulent traffic through the (fraudulently) clicked ads from parked domains.
- Brand advertisers place their ad on the websites of the legitimate publishers, which in reality appear within the (invisible) iframe of HQTubeVideos.
- AdSafe detects the attempted placement within the porn website, and prevents the ads of the brand publisher from appearing in the legitimate website, which is hosted within the invisible frame of the porn site.
Notice how nicely orchestrated is the whole scheme: The parked domains "launder" the porn traffic. The ad networks place the ads in some legitimately-sounding parked domains, not in a porn site. The publishers get traffic from innocent domains such as RelaxHealth, not from porn sites. The porn site loads a variety of publishers, distributing the fraud across many publishers and many advertisers.
The most clever part of this is that it makes use of the natural externalities of the Internet.
And now let's see who has the incentives to fight this. It is fraud, right? But I think it is well-executed type of fraud. It targets and defrauds the player that has the least incentives to fight the scam.
Who is affected? Let's follow the money:
- The big brand advertisers (Continental, Coca Cola, Verizon, Vonage,...) pay the publishers and the ad networks for running their campaigns.
- The publishers pay the ad network and the scammer for the fraudulent clicks.
- The scammer pays PornoXo and TrafficHolder for the traffic.
The ad networks see clicks on their ads, they get paid, so not much to worry about. They would worry if their advertisers were not happy. But here we have a piece of genius:
The scammer did not target sites that would measure conversions or cost-per-acquisition. Instead, the scammer was targeting mainly sites that sell pay-per-impression ads and video ads. If the publishers display CPM ads paid by impression, any traffic is good, all impressions count. It is not an accident that the scammer targets publishers with video content, and plenty of pay-per-impression video ads. The publishers have no reason to worry if they get traffic and the cost-per-visit is low.
Effectively, the only one hurt in this chain are the big brand advertisers, who feed the rest of the advertising chain.
Do the big brands care about this type of fraud? Yes and no, but not really deeply. Yes, they pay for some "invisible impressions". But this is a marketing campaign. In any case, not all marketing attempts are successful. Do all readers of Economist look at the printed ads? Hardly. Do all web users pay attention to the banner ads? I do not think so. Invisible ads are just one of the things that make advertising a little bit more expensive and harder. Consider it part of the cost of doing business. In any case, compared to the overall marketing budget of these behemoths, the cost of such fraud is peanuts.
The big brands do not want their brand to be hurt. If the ads do not appear in places inappropriate for the brand, things are fine. Fighting the fraud publicly? This will just associate the brand with fraud. No marketing department wants that.
Posted on May 22, 2012 at 6:24 AM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Always thought this type of fraud it genius. The main question is (as you said) is - who cares?
I'm curious how botnets fit into this type of fraud, if at all...
You should really put something like "Warning, link NSFW" or similar. Some IT security people follow your blog from... well... work. For everyone else's benefit, warning, the linked article above is NSFW.
Thanks for the warning Harvey.
the linked article above is NSFW
You'd know that if you used AdSafe.
From the first paragraph of the article:
"(Hint: to avoid the WSJ paywall, search the title of the article through Google News and click from there, to read the full article)."
I agree Bruce. It is clever. There will always be people that will look for the "easy" way to make money. The amount of effort, imaginative thought, and drive could be directed in a legitimate direction.
These types of people are not stupid criminals as we normally think of them.
Granted they do get caught a lot because of arrogance, etc.
The really good ones I still maintain might not get caught. They just work for wall street (clever alogs.) Or governments pay them to hack for them..
They tend to be really quick to learn how to do things.. :)
BTW read this guy, we don't need firewalls!!!!....
I wavered between laughing or tearing up from the sheer ignorance..
It should have said, firewalls won't save you from attacks...This article is from a supposed security writer...
The link to the article may not have been NSFW at the time Bruce posted it. The text preceding the NSFW pictures indicates that the author did not initially include them, because they were NSFW and he did not want to identify the advertisers. He didn't add the pictures to the article until after the advertisers were identified in the WSJ article.
@EvilKiru: The article was updated, but it was over a year ago (3/17/2011).
You're missing one player hurt in this - the user.
Some people do have caps and also share bandwidth with other people at the location.
One way to test a new browser or for doing beta testing it to give it a try out on a porn site on a system you don't mind rebuilding. You'll find every just about every security flaw in the world on those sites. I know, it sounds like the kind of excuse I used when I was a fresh out of school lawyer and had a drug store bandit who claimed that his alibi witnesses were women that worked at the strip clubs in a downtown southern city. I had to go to every one of them and the alibis didn't hold out and he plead guilty but I did get a tour of the places. But if you seriously want to give a beta browser or an OS a real workout, put on your blinders and visit a porn site, it is a quick easy way to test security on a new browser or a beta of an OS and give them a real workout. Just watch you bios and other computer parts. Otherwise, just buy porn if you have to have it.
I suppose thought that these links are not in any way security issues, I suspect that they wouldn't want to mess with the fish by lacing the trail to the bait with arsenic.
I don't know man. You hear about that a lot, porn sites picking up security problems, but porn is big business. Lot of money. They have a vested financial interest in keeping on top of security.
Now religious groups, or anti-virus scams, those are far more vulnerable sites with little to no technical ability or funding for security. And the site visitors... Usually not top drawer techie talent.
I have to disagree a little and add tech sites. One of the two times in over 10yrs I caught anything on the web, was from a mainstream tech site (cough t****irt cough). It was one SOB to get rid of and even then I just reformatted installed from backups. I just wasn't convinced I had gotten all of it.
Where do the geeks hang out? you got it and I caught it.
BTW anybody that goes to pron sites know it's not necessarily safe. The only more dangerous one I can think of would be going to DEFCON with a computer on their open network...
Sorry to double post. I just thought of something. DEFCON would be a good way to test your security. If 5k hackers can't get in.....but then we are not all rob schneier....
The big advertisers are being harmed, but they have no way to measure how much (fraud vs. actual ad views by uninterested users) and the fraudulent ad views are probably a small fraction of the overall ad views.
There isn't much they can do against this type of fraud.
Got to give these guys credit for their ingenuity. Just finished reading a very interesting paper on adaptive user interface randomization as an anti-clickjacking strategy at http://www.thesecuritypractice.com/... . And for what it's worth, thank God for add-ons such as AdBlock Plus, Ghostery, NoScript and the like. I've gotten so used to them that I am absolutely flabbergasted to see what many pages look like each time I occasionally have to use Internet Explorer on someone else's Windows machine. Not to mention what is under the hood.
I think the big marketing depts may be even more afraid of being linked to pron sites than to fraud...
@Bubba: I guess true pron businesses that actually charge real money for their high-quality fully legal stuff don't do that.
But I agree that quite much of the net-pron out there is just a bait. Specific genres of it may be a bait most of the time, even.
@X wrote "Now religious groups"
@Jacob wrote "One of the two times in over 10yrs I caught anything on the web, was from a mainstream tech site"
X is right, Symantec made a report about that, hosted at http://www.symantec.com/content/en/us/enterprise/...
Page 33 reads as follows:
"Moreover, religious and ideological sites were found to have triple the average number of threats per infected site than adult/pornographic sites. We hypothesize that this is because pornographic website owners already make money from the internet and, as a result, have a vested interest in keeping their sites malware-free its not good for repeat business."
According to page 36, Jacob is right too: 2.5 times more infections on tech sites than port sites. Though economy sites are even more dangerous, and personnal pages even more dangerous.
However, since the marketers will measure (however they measure this) less impact from the marketing campaign, this type of fraud will diminish the value of brand advertising on the web. Which will lower the price of such advertising, which will hurt legitimate publishers using this business model.
So they are also harmed (indirectly, by some amount) by this type of fraud. If impressions were currency, this would be counterfeiting.
Another security incentive: I notice that the article ends with
Only if fraud becomes really big there will be the real incentive to fight advertising fraud. Until then, you know how to make $500K/month...
and that the author is affiliated with AdSafe, who have a tool that detects this scheme. :)
Not to advocate security by obscurity and say that the publication wasn't justified -- just saying that if you are looking at incentives, you should also consider who has incentive to disclose the attack. If e.g. an ad network had discovered this, would they have disclosed it? Silently blocked it? Allowed it to continue?
From the article: "reading the address of the top frame is a challenging problem. For security reasons, browsers do not allow cross-domain scripting. So, it is not possible to just call the "top" object and read its properties. We [AdSafe] have a proprietary solution for this."
This seems extremely sketchy on the part of the supposedly legitimate company AdSafe.
Can any body explain where the fraud is in this scheme and who is committing it? Where is the violation of a legal or contractual obligations?
IIRC a 0 x 0 iframe means the contents will never be visible. So why does the browser load the contents? An option to ignore it would help users with download caps.
This was a good post with great comments. I had never heard about this exploit, but I am sure it is one of many. AdSafe is also new to me.
I was expecting to hear there was some "conversion fraud" involved. Maybe these scammers consider the relatively low cost per impression won't warranty action to insure the advertisers keep advertising?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.