Entries Tagged "web"

Page 3 of 14

Security Incentives and Advertising Fraud

Details are in the article, but here’s the general idea:

Let’s follow the flow of the users:

  1. Scammer buys user traffic from PornoXo.com and sends it to HQTubeVideos.
  2. HQTubeVideos loads, in invisible iframes, some parked domains with innocent-sounding names (relaxhealth.com, etc).
  3. In the parked domains, ad networks serve display and PPC ads.
  4. The click-fraud sites click on the ads that appear within the parked domains.
  5. The legitimate publishers gets invisible/fraudulent traffic through the (fraudulently) clicked ads from parked domains.
  6. Brand advertisers place their ad on the websites of the legitimate publishers, which in reality appear within the (invisible) iframe of HQTubeVideos.
  7. AdSafe detects the attempted placement within the porn website, and prevents the ads of the brand publisher from appearing in the legitimate website, which is hosted within the invisible frame of the porn site.

Notice how nicely orchestrated is the whole scheme: The parked domains “launder” the porn traffic. The ad networks place the ads in some legitimately-sounding parked domains, not in a porn site. The publishers get traffic from innocent domains such as RelaxHealth, not from porn sites. The porn site loads a variety of publishers, distributing the fraud across many publishers and many advertisers.

The most clever part of this is that it makes use of the natural externalities of the Internet.

And now let’s see who has the incentives to fight this. It is fraud, right? But I think it is well-executed type of fraud. It targets and defrauds the player that has the least incentives to fight the scam.

Who is affected? Let’s follow the money:

  • The big brand advertisers (Continental, Coca Cola, Verizon, Vonage,…) pay the publishers and the ad networks for running their campaigns.
  • The publishers pay the ad network and the scammer for the fraudulent clicks.
  • The scammer pays PornoXo and TrafficHolder for the traffic.

The ad networks see clicks on their ads, they get paid, so not much to worry about. They would worry if their advertisers were not happy. But here we have a piece of genius:

The scammer did not target sites that would measure conversions or cost-per-acquisition. Instead, the scammer was targeting mainly sites that sell pay-per-impression ads and video ads. If the publishers display CPM ads paid by impression, any traffic is good, all impressions count. It is not an accident that the scammer targets publishers with video content, and plenty of pay-per-impression video ads. The publishers have no reason to worry if they get traffic and the cost-per-visit is low.

Effectively, the only one hurt in this chain are the big brand advertisers, who feed the rest of the advertising chain.

Do the big brands care about this type of fraud? Yes and no, but not really deeply. Yes, they pay for some “invisible impressions”. But this is a marketing campaign. In any case, not all marketing attempts are successful. Do all readers of Economist look at the printed ads? Hardly. Do all web users pay attention to the banner ads? I do not think so. Invisible ads are just one of the things that make advertising a little bit more expensive and harder. Consider it part of the cost of doing business. In any case, compared to the overall marketing budget of these behemoths, the cost of such fraud is peanuts.

The big brands do not want their brand to be hurt. If the ads do not appear in places inappropriate for the brand, things are fine. Fighting the fraud publicly? This will just associate the brand with fraud. No marketing department wants that.

Posted on May 22, 2012 at 6:24 AMView Comments

Password Security at Linode

Here’s something good:

We have implemented sophisticated brute force protection for Linode Manager user accounts that combines a time delay on failed attempts, forced single threading of log in attempts from a given remote address, and automatic tarpitting of requests from attackers.

And this:

Some of you may have noticed a few changes to the Linode Manger over the past few weeks, most notably that accessing your “My Profile” and the “Account -> Users & Permissions” subtab now require password re-authentication.

The re-authentication is meant to protect your contact settings, password changes, and other preferences. The re-auth lasts for about 10 minutes, after which you’ll be asked to provide your password again on those sections of the Linode Manager.

It’s nice to see some companies implementing these sorts of security measures.

Posted on April 18, 2012 at 1:30 PMView Comments

Teenagers and Privacy

Good article debunking the myth that young people don’t care about privacy on the Intenet.

Most kids are well aware of risks, and make “fairly sophisticated” decisions about privacy settings based on advice and information from their parents, teachers, and friends. They differentiate between people they don’t know out in the world (distant strangers) and those they don’t know in the community, such as high school students in their hometown (near strangers). Marisa, for example, a 10-year-old interviewed in the study (who technically is not allowed to use Facebook), “enjoys participating in virtual worlds and using instant messenger and Facebook to socialize with her friends”; is keenly aware of the risks—especially those related to privacy; and she doesn’t share highly sensitive personal information on her Facebook profile and actively blocks certain people.

[…]

Rather than fearing the unknown stranger, young adults are more wary of the “known other”—parents, school teachers, classmates, etc.—for fear of “the potential for the known others to share embarrassing information about them”; 83 percent of the sample group cited at least one known other they wanted to maintain their privacy from; 71 percent cited at least one known adult. Strikingly, seven out of the 10 participants who reported an incident when their privacy was breached said it was “perpetrated by known others.”

Posted on April 10, 2012 at 10:21 AMView Comments

Blue Coat Products Enable Web Censorship in Syria

It’s illegal for Blue Coat to sell its technology for this purpose, but there are lots of third-parties who are willing to act as middlemen:

“Blue Coat does not sell to Syria. We comply with US export laws and we do not allow our partners to sell to embargoed countries,” [Blue Coat spokesman Steve] Schick told the Bureau. “In addition, we do not allow any of our resellers, regardless of their location in the world, to sell to an embargoed country, such as Syria.”

However, Schick did not rule out the possibility that the equipment could have been bought via a third party re-seller, noting that Blue Coat equipment can be found on websites like eBay.

Bet you anything that the Syrian Blue Coat products are registered, and that they receive all the normal code and filter updates.

EDITED TO ADD (11/14): The Wall Street Journal confirms it:

The appliances do have Blue Coat service and support contracts. The company says it has now cut off contracts for the devices.

Posted on October 24, 2011 at 1:39 PMView Comments

Facebook Patent to Track Users Even When They are Not Logged In to Facebook

Patent application number 2011/023240:

Communicating Information in a Social Network System about Activities from Another Domain

Abstract: In one embodiment, a method is described for tracking information about the activities of users of a social networking system while on another domain. The method includes maintaining a profile for each of one or more users of the social networking system, each profile identifying a connection to one or more other users of the social networking system and including information about the user. The method additionally includes receiving one or more communications from a third-party website having a different domain than the social network system, each message communicating an action taken by a user of the social networking system on the thirdparty website. The method additionally includes logging the actions taken on the third-party website in the social networking system, each logged action including information about the action. The method further includes correlating the logged actions with one or more advertisements presented to the one or more users on the third-party website as well as correlating the logged actions with a user of the social networking system.

Facebook denies that this is a patent for that. Although Facebook does seem to track users even when they are not logged in, as well as people who aren’t even Facebook users.

EDITED TO ADD (10/24): Facebook claims that, while they do collect information on non-users, they don’t use it for profiling. This feels like hair-splitting to me; I get emails from Facebook with lists of friends who are already on the site.

EDITED TO ADD (10/24): It’s a patent application, not a patent.

Posted on October 24, 2011 at 6:42 AMView Comments

Random Passwords in the Wild

Interesting analysis:

the hacktivist group Anonymous hacked into several BART servers. They leaked part of a database of users from myBART, a website which provides frequent BART riders with email updates about activities near BART stations. An interesting aspect of the leak is that 1,346 of the 2,002 accounts seem to have randomly-generated passwords-a rare opportunity to study this approach to password security.

Posted on October 20, 2011 at 6:25 AMView Comments

1 2 3 4 5 14

Sidebar photo of Bruce Schneier by Joe MacInnis.