Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/6/2020
11:15 AM
50%
50%

Malware for Ad Fraud Gets More Sophisticated

Facebook says SilentFade campaign disabled notifications that could have warned users that their accounts had been compromised.

The operators of advertising fraud schemes have added persistence and the targeting of new platforms in their efforts to siphon off as much of the $125 billion online advertising market as possible, according to security and anti-fraud experts.

Last week, Facebook revealed that the company had uncovered a widespread attack on its users that had compromised accounts, gathered credentials and sessions tokens, and used the access to purchase advertisements, counterfeit and gray-market goods, and to create fake product reviews. Called SilentFade — which the company said stands for "Silently Running Facebook Ads with Exploits" — the malware infected users' systems and resulted in charges of more than $4 million, Facebook stated in its analysis.

Related Content:

Russian Hackers Run Record-Breaking Online Ad-Fraud Operation

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: CFAA 101: A Computer Fraud & Abuse Act Primer for InfoSec Pros

The campaign — which Facebook discovered in December 2018 and took action against two months later — evaded threat detection by stealing session cookies from the user and logging in from an IP address geographically close to the victim. SilentFade also disabled many of the security warnings and notifications and used an exploit to prevent the user from undoing the changes, according to the company's researchers.

The attack marks a greater sophistication for malware targeting social media, says Sanchit Karve, malware researcher for Facebook.

"Historically, the malware we've observed used social networks to spread and did not depend on them for monetization," he says. "SilentFade targeted social media services to run fraudulent ads and was the first we observed to actively target notification settings."

SilentFade is not the only major advertising-fraud operation to result in losses in the millions of dollars. In 2016, threat researchers at anti-fraud firm White Ops discovered an operation known as Methbot that garnered between $3 million and $5 million per day. Earlier this year, White Ops also disclosed a campaign where a large botnet posed as millions of smart TVs to fool advertisers into thinking that television viewers were watching their ads.

Even today, large botnets are conducting advertising fraud. The anti-fraud industry is tracking one mobile-device botnet using mobile devices that has caused in millions in damages, according to Danielle Meah, director of threat intelligence for the Trustworthy Accountability Group (TAG), a nonprofit industry initiative to stop advertising fraud.  

"Not only are the attackers adapting to the defenses being put in place, but there is a lot of creativity and ingenuity from the actors in this space," she says. "Normally, if something didn't work, they would go away. Now it is more frequent they pop up, and they try to target the same organization again."

With the digital advertising market hitting $125 billion in 2019, and set to grow 6% in 2020, the allure for fraudsters will continue.

The online advertising industry is made up a complex web of businesses, advertising networks, and media properties, which are so competitive that historically the lack of ethical practices has been problematic. In a 2018 report, for example, 44% of marketing executives did not believe that their advertising technology provider was honest and transparent. Because some firms profited from not investigating borderline practices, advertising fraud and click fraud flourished. In 2014, for example, security firm White Ops and the Association of National Advertisers found that advertising fraud caused monetized traffic to legitimate websites to increase anywhere from 5% to 50%

That's no longer the case, says Mike Zaneis, president and CEO of TAG.

"There was kind of this crime of omission, where you just kind of turned a blind eye, because if you were on the sell side, it may financially benefit you," Zaneis acknowledges. "That's not the case anymore. Because companies know ... who the bad actors are, especially on the sell side, and they don't do business with them anymore."

Yet just as the advertising ecosystem has implemented defenses, ad fraudsters are increasing the sophistication of their operations. Facebook's research, presented at VB2020 localhost, a conference for the anti-malware industry, discovered that attackers had used a bug in its system to prevent victims from undoing the malicious changes and suppress notifications. 

In addition, SilentFade stole cookies containing session tokens, which are often considered more valuable than passwords, because they are post-authentication proof that the user provided the right credentials. By using cookies instead of stealing usernames and passwords, the attackers often sidestep two-factor authentication. The cookie-stealing component of SilentFade targeted a large number of browsers, including Chrome, Opera, Internet Explorer, Edge, and others.

"With these changes, SilentFade minimized the likelihood of users noticing unrecognized activity on their accounts — preserving undetected access to compromised accounts for longer," Facebook researchers stated in their analysis.

Facebook has hardened its service against SilentFade and the group's other attacks, but stressed that other social media platforms may still be affected by the ad fraud campaign. In December 2019, the company also sued Chinese firm ILikeAd Media International and two Chinese national for developing the SilentFade malware and spreading it to victims' systems. 

Facebook will continue to pursue ad fraudsters, because users need to trust advertisers and their advertisements for the marketplace to grow, says Nathaniel Gleicher, head of security policy for the company. 

"We anticipate more platform-specific malware to appear in the future and hope to encourage closer collaboration between the antivirus industry and tech companies to strengthen our collective response against malware actors," he says.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4626
PUBLISHED: 2020-11-30
IBM Cloud Pak for Security 1.3.0.1 (CP4S) could reveal sensitive information about the internal network to an authenticated user using a specially crafted HTTP request. IBM X-Force ID: 185362.
CVE-2020-4627
PUBLISHED: 2020-11-30
IBM Cloud Pak for Security 1.3.0.1(CP4S) potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 185367.
CVE-2020-4696
PUBLISHED: 2020-11-30
IBM Cloud Pak for Security 1.3.0.1(CP4S) does not invalidate session after logout which could allow an authenticated user to obtain sensitive information from the previous session. IBM X-Force ID: 186789.
CVE-2020-4900
PUBLISHED: 2020-11-30
IBM Business Automation Workflow 19.0.0.3 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 190991.
CVE-2020-4624
PUBLISHED: 2020-11-30
IBM Cloud Pak for Security 1.3.0.1 (CP4S) uses weaker than expected cryptographic algorithms during negotiation could allow an attacker to decrypt sensitive information.