cybercriminals using facebook paid advertisements to...
TRANSCRIPT
Cybercriminals Using Facebook Paid
Advertisements to Defraud Follow up on “Cybercriminals Leveraging
Facebook”
Written by: Frank Angiolelli, Eric Feinberg, Ian Malloy
8/5/2013
Cybercriminals are using Facebook’s Paid Sponsored Advertisement system to commit Intellectual Property Theft, defraud users and negatively impact the economies of USA and Europe.
2
Contents Executive Summary: ...................................................................................................................................... 3
Audience: ...................................................................................................................................................... 3
Paid Sponsored Advertisements: .................................................................................................................. 3
Nefarious & Fraud Websites ......................................................................................................................... 6
Payment Methods ......................................................................................................................................... 6
Attribution, Replication and Zombie Farms .................................................................................................. 6
Example: The “OJR Group” + Successful Predictive Sites ......................................................................... 7
How is This Being Delivered? ........................................................................................................................ 8
Registrars .................................................................................................................................................. 8
Web Hosting .............................................................................................................................................. 9
Geographic Location of Web Hosting ..................................................................................................... 10
Theft of Intellectual Property by Brand ...................................................................................................... 11
Scope and Scale........................................................................................................................................... 11
Intellectual Property Owners Cannot Effective Combat This ..................................................................... 13
Attribution – Chinese Actors: ...................................................................................................................... 13
Conclusions & Predictions: ......................................................................................................................... 14
Quantitative Analysis Provided by Malloy Labs .......................................................................................... 15
3
Executive Summary: Organized cybercriminals are leveraging Facebook’s Paid “Sponsor Ads” system to deliver nefarious websites to Facebook users as they engage social media. Initially, the intent of this study focused on one brand, Louis Vuitton, however it became clear that the activity involved coordinated groups using multiple brand names in a mass distribution system affecting the entire ecosystem.
During our study, a single user was presented with as many as 20 unique fraud advertisements in an 8 hour period on Facebook, as well as multiple repeat fraud websites. We observed masses of redirector sites owned by ascribable groups employing varying evasive techniques to redirect users to their fraudulent content. We have enough evidence that we are confident in identifying origination to Chinese actors as well as identifying multiple separate modus operandi in Zombie redirection farms.
In response, cyber security expert Frank Angiolelli, developed semi-autonomous systems utilizing the social networking knowledge of Eric Feinberg to identify nefarious or counterfeit websites among a mass of legitimate sites while tracking correlation data. We identified a body of 225 individual counterfeit paid advertisements in an increasing exponential frequency curve commiserate with the resources assigned during a three week period.
Our identification of sites was performed programmatically using input from Eric Feinberg and his team and put through systems and algorithms created by Frank Angiolelli. Post identification, the data was sent to Malloy Labs for further predictive analytics based on the deep mathematics of the correlated true positive data. The result is that in mere seconds, 95%+ fraudulent sites were identified while tracking and trending the hosting, registrars and software origins. False positives on legitimate websites during the study period started at >0.9% and decreased exponentially as the data set expanded.
Only 2% of the nefarious websites seen in this study had been seized, and the pattern of replication we uncovered proves that advanced methods employed by this team are successful countermeasures to address this problem. At the conclusion of this paper, we will lay out predictions for how this will behave in the future, which are alarming.
In this paper, we present the results of our study, indicating great risk to intellectual property owners.
Audience: This paper is intended to be presented to an audience with light to moderate technical knowledge.
Paid Sponsored Advertisements: These cybercriminals are paying Facebook to obtain sponsored advertisement space which is presented to the user without request or choice. While counterfeit and fraudulent websites appear on the web every day, this is a targeted delivery vector which is actively presented to the user without user choice.
Only 2% of the domains discovered in this study
were seized. 98% remain operational.
4
These websites, primarily hosted in the United States, are not operated by legitimate businesses. Below are some sample screen shots of these sponsored advertisements.
5
6
Nefarious & Fraud Websites They are conducting intellectual property theft to lure unsuspecting users to their websites, and they are doing this by paying Facebook for the ad space. They are leveraging a system of replication and redirection indicating organization and desire to evade detection methods. Once on the website, the user is presented with highly convincing materials making them quite susceptible to the deception.
In our previous paper (“Cybercriminals Leveraging Facebook”), we documented how these websites are using dubious payment processors and unencrypted collection of PII when users “register”. Many of the registrars are known as highly suspect.
The users who are duped by these websites have little recourse to recoup the financial losses they incur by sending money to these websites through dubious payment processors.
A quote from an anonymous resource involved in this research stated:
“These ads/fake websites have been reported directly to Facebook on multiple occasions to no avail. They come back with the same generic response in that they can find nothing wrong. This is just not true. We point out why the site is fake and outline the reasons why and they still take the stance that nothing is wrong. What is further concerning is that it is getting worse. In my years of experience in reporting fakes via the DCA group, I am astonished to see the amount of fake items being sold to mainstream America, which, in essence, is fleecing Americans out of their hard earned money. In performing additional research, specifically running DNS reports, I have found that most, if not all, of the "organizations" that are selling items on these sites are from China. China is well known for saturating the marketplace with fake items. And it is the most expensive luxury brands that they are using in an attempt, in my opinion, to steal people's money by advising they sell 100% authentic items when in fact the are all fake. I have personally seen examples of people buying fake handbags and then fighting to get their money back, many times to no avail. These sites will normally only accept money orders or Western Union, which leaves no recourse to the unsuspecting buyer; and we are not talking a small amount of money. Certain limited edition high end luxury handbags can fetch up to $10,000 and more each depending on which one it is. There have been too many instances of people buying fakes and losing out on thousand and thousands of dollars to these schemes and they must be stopped.” – Anonymous volunteer in this research study
Payment Methods The payment methods being employed by these websites are tied to numerous reports of fraud.1 Users who are tricked by a Paid Sponsored Advertisement send their money to nefarious groups with no recourse.
Attribution, Replication and Zombie Farms
1Example Fraud Payment Processor http://www.onlinethreatalerts.com/article/2013/6/24/bogus-payment-processor-website-www-billingcheckout-com/
7
There are two primary types of advertisements, a “root” website and a “zombie redirector” which equates to a farm of websites that can be submitted to Facebook. The root nefarious websites holds the actual content being delivered to the user. We are able to identify groups, root websites and ascribe ownership of these websites to those groups.
It is important to note that the root website is not necessarily the website being advertised.
Example: The “OJR Group” + Successful Predictive Sites The example below is one of the groups we identified employing one type of Zombie farm. We refer to this group as the “OJR Group”. Using the technology being employed, we are able go beyond just identify the websites they are operating and identify websites they will on Facebook.
The “OJR Group” operates a very large Zombie Redirection farm and only a portion of their farm is represented here. When our system processes a website, we can identify this group programmatically in seconds.
Snapshot of the “OJR Group” Counterfeit Operations
8
Figure 1: Zombie Redirector Being Employed by the OJR Group
How is This Being Delivered?
Registrars Of the hundreds of domains we have identified as nefarious, the most popular registrar at this moment is “Godaddy”, which is primarily used to register pseudo-random Zombie Redirector sites. Outside of Godaddy, the remainders are mostly Chinese technology companies, with some notable exceptions.
9
Web Hosting Once registered, the sites require hosting. Our data shows they are using mostly United States hosting companies to delivery their fraudulent content.
10
Geographic Location of Web Hosting These sites are predominately hosted in the United States.
11
Theft of Intellectual Property by Brand Our studies showed that the Zombie Redirector sites moved from root site to root site and moving from Brand to Brand. Our study of the Brands being presented is represented in the graph below.
While identifying legitimate versus fraud websites is trivial to experienced professionals armed with the correct knowledge and technology, the average user is not able to discern the difference, exposing them to serious risks of financial and identity theft.
The Zombie Redirectors made up nearly 40% of the sites observed, which allows them to use those sites to redirect users to any number of nefarious websites, using rotating brand names.
Scope and Scale Our research and technology has shown this problem goes far beyond Facebook and far beyond the ability of an individual intellectual property owner to defend them. Facebook is just a distribution system.
Only 2% of the domains in this study were “Seized”. 98% are operational. Every day, we catalogued between 8 and 20 new domains. The more resources we assign, the
more we find exponentially. We believe it will plateau, but using publicly available data makes this challenging to determine at what level this will plateau.
Zombie Redirector 39%
Louis Vuitton 14%
NFL 12%
Other 6%
Oakley & Ray Ban 6%
Louboutin 6%
Nike 5%
Kors 3%
Chanel 2%
Seized 2%
Coach 1%
Prada 1%
Gucci 1% Fendi
1% Ralph Lauren
0% Other 0%
Hermes 0%
Brands by Frequency. Zombie Redirectors are the Bulk of Sites
12
Our extrapolation of data, which will be covered in the next paper, indicates that this problem is leviathan in scale.
While the full scope of the internet scale is outside the scope of this paper, our extrapolation of this data indicates an enormous scale. Below is just one sample of extrapolation on one brand:
For every increase in resources or time assigned to visualizing paid nefarious ads on Facebook, the corresponding increase was 75% per frequency period (provided by Malloy Labs), indicating that the problem is enormous. This concept will be expanded under the Quantitative Analysis section provided by Ian Malloy of Malloy Labs.
13
Intellectual Property Owners Cannot Effective Combat This Facebook’s requirements (as described to us by a corporation) are that trademark holders must send screencaps of the advertisement, the search history and offending website in one report, which would require enormous resources performing tangential operations dissociated from the patterns.
The result of this is that the intellectual property owner is subjected to great harm of their brand name as well as a resource drain through these Paid Sponsored Advertisements.
Aside from Paid Sponsored Ads, our previous paper documented fake Facebook accounts. We have also discovered an enormous number of Counterfeit Facebook Groups.
Attribution – Chinese Actors: There are multiple key indicators that the persons operating these websites originate in China. As per our previous paper (“Cybercriminals Leveraging Facebook”), most of the content delivery sources are Chinese CDN networks
CNZZ and 51.la are the most frequent CDN networks employed A majority of these websites have been developed using Chinese versions of software The code replication techniques are published under what appear to be Chinese names The registrars, outside of Godaddy, are primarily Chinese registrar technology companies. The genesis of this has Chinese origins – We intend to expand on this in our next paper.
Meanwhile, the posts from fake Facebook profiles detailed in our first paper continues.
14
Conclusions & Predictions: The immediate consequences of the fraud will fall directly on the intellectual property owners and those being defrauded. Facebook will suffer increasing reputational damage, in the intermediate consequences, until either an effective countermeasure is engaged or the increase fraudulent advertisements destroys the user trust at which point, the fraudsters will abandon Facebook for another vector.
Meanwhile, the fraudsters themselves, we predict, will operate on what will resemble a biological Diauxic growth curve with a continuous lifecycle. This will increase exponentially if they spawn parallel growth unless an effective countermeasure is introduced into the internet ecosystem or the fraud plateaus at an unknown horizon in the future which is likely to have a significant impact on the economy as a whole.
15
For now, the intellectual property owners will continue to experience negative financial impact, impeding their ability to cope with the ever increasing theft of their intellectual property.
Quantitative Analysis Provided by Malloy Labs Written by Ian Malloy of Malloy Labs Audience: Highly Technical and Mathematical Background: Frank Angiolelli provided Ian Malloy with a sample of 225 vetted counterfeit websites for Quantitative Analysis
Quantitative Analysis of Fraudulent Activity on Facebook
Abstract:
This paper will analyze the quantitative aspects of a sampling of fraudulent, promoted ads on facebook. Not all of the ads are promoted, but those that are falsely increase the profit of facebook’s revenue. Some ads appear as spam which are created by fake profiles and posted to targeted groups in order to either steal financial information or, worse, the identity of those who follow the links and attempt to make purchases. The fraudulent ads incorporate the intellectual property of Oakley ©, Rayban ©, the NFL © and Louis Vuitton ©. For sake of analysis, the entire sample of fraudulent sites reported will be used though the predominant focus for analysis to be conducted will be Louis Vuitton © (LV). This analysis will look for variance between url’s of the sample of 225 samples as well as be incorporated in a comparative analysis between each vector (url sample) in order to conduct Chi Square analysis and regression analysis. The null hypothesis of this study is that the LV samples do not show a characteristic difference between the other vectors while the alternative hypothesis will seek to prove that a different trend is present in the LV vector.
In a perfect world, the internet would be a hub of information sharing, completely open-source and free for all to use. In the real world, cybercrime and black hat hackers seem to have the upper hand. In
16
criminal response and mitigation, each black hat has a detectable internet protocol address and Internet Service Providers are quick to remove malicious sites or those that engage in cybercriminal activities (fig. 1).
Fig. 1
A sample of 225 will be used for analysis. Of these 225, 25 are labeled as ‘repeat offenders,’ e.g. showing up more than once as opposed to once on facebook.com. The entire sample will not be analyzed holistically until the first 200 single offenders and the 25 repeat offenders are analyzed. This creates a baseline of “first time offenders” (FTO’s) and “Repeat Offenders” (RO’s). A ‘url query’ is done on all FTO’s and RO’s which utilizes urlquery.com, a software program that is open source and allows for minor forensic analysis to be conducted. Certain key signatures are utilized as well, such as the word ‘cheap’ when used in a specific context. This creates an aggregated score that reveals whether or not it is A) counterfeit or B) legitimate.
Figure 2 shows a frequency analysis between a random sample of 4 vectors and 13 samples from each, including fraudulent site counterfeit scores:
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
1Q 2Q 3Q 4Q
full mitigation
antivirus
cybercrime
17
Fig. 2
As can be seen from figure 2, LV is the highest ranking counterfeit vector although the predominance of scores of counterfeit appearance are lower than Oakley. This illustrates several key points:
1) The obfuscation technique is more advanced making it harder to detect counterfeit signatures of LV.
2) Although they appear in higher appearance, the LV vector centers around a signature strength of ten, which comes from an aggregation of key phrases and words within specific contexts.
Figure 3 shows simple standard deviation analytics between all vectors, a two-tailed F test between the LV vector and remaining three vectors as well as the average frequency of the vectors combine:
Score Frequency LV Rayban Oakley Jersey's
3 0
5 1 1
10 7 5
1 1
15 3 1 1 1
20 2
2
25 0
0
1
2
3
4
5
6
7
8
1 2 3 4 5 6 7 8
Frequency
LV
Rayban
Oakley
Jersey's
18
30 0
30+ 0
F-Test (two-tailed) between LV and the other three Vectors
Average Frequency
Standard Deviation of Sample
0.009734992 1.625 1.927865832
Fig. 3
The two-tailed F test shows there is a pattern of irregular increase within all vectors which supports Fig. 2 wherein the LV vector appears to have a much higher frequency at a minimum signature scale. By taking the sample size, the average and standard deviation we can set the alpha co-efficient at .05 and find if we can reject the initial null hypothesis proposed in the abstract:
Fig 4.
Figure 4 shows a p-value of 1 which is above the threshold set, allowing us to successfully reject the null hypothesis created and listed in the abstract. To test the irregular difference utilizing the values of fig.’s 1 and 2 a scatterplot and regression analysis is conducted which proves an exponential rise in counterfeit data signature from a correlation coefficient of “R” between the vectors:
Z-test (one tailed P value Sample F-Test (two-tailed) between LV and the other three Vectors Average Frequency Standard Deviation of Sample1 13 0.009734992 1.625 1.927865832
y = 0.7143x - 0.2857 R² = 0.8929
-1
0
1
2
3
4
5
6
0 2 4 6 8
LV
Rayban
Oakley
Jersey's
Linear (LV)
19
Fig. 5
Fig. 6
Fig. 7
R² = 0.683
-6
-4
-2
0
2
4
6
0 2 4 6 8 10
LV
Rayban
Oakley
Jersey's
Log. (LV)
R² = 1
0
1
2
3
4
5
6
0 2 4 6 8
LV
Rayban
Oakley
Jersey's
Poly. (LV)
20
Fig. 8
Fig.’s 5-8 are regression analyses on the projections of nefarious use of LV vector Intellectual Property (IP). Each graph has its own correlation coefficient, or “R” which denotes how closely the projected trend matches the given values when analyzing the LV vector. The only perfect match in growth patterns is the polynomial trend line with a value of 2 for each successive ‘hit’ shown on fig. 7. The least related of the points insofar as correlation coefficients go is listed in fig. 6 which is a logarithmic analysis. This shows that a logarithmic increase is the least likely of growth trends.
There are two “R’s” listed that match perfectly and show a statistically significant growth trend, suggesting it is the more accurate of the projections from fig.’s 5-8, which belong to the linear and exponential growth trends. This suggests that either a linear growth or exponential growth is the most probable of the trends, discounting the polynomial which was at 100%. The polynomial order matches observed data while the others do so as well, though the polynomial data shows a much more dramatic increase in the LV vector as opposed to the remaining figures of fig.’s 5-8. By taking the moving average forward three periods, the two observed periods are included in analysis while the third results on a projected trend. There is no “R” for moving averages but the data shows a linear increase beginning at the y axes 3 values after a drop (fig. 9).
y = 0.5961e0.2874x R² = 0.8929
0
1
2
3
4
5
6
7
8
9
0 2 4 6 8 10
LV
Rayban
Oakley
Jersey's
Expon. (LV)
21
Fig. 9
0
1
2
3
4
5
6
0 2 4 6 8
LV
Rayban
Oakley
Jersey's
3 per. Mov. Avg. (LV)