Imagine someone living hidden within the walls of your house, observing your every move, studying your every interaction and shadowing your behaviour until the day he can flawlessly mimic you. Only, it isn’t human. While sounding like the premise of Parasite and Annihilation combined, the setup isn’t spun off the imagination of a sci-fi author. It is happening as you read this.
Sure, you’ve heard of cybercrime, but how much do you really know about the extent of it? Like us, bots evolve. What were once limited to data centres operating by rudimentary rules and running predictably are now occupying user devices and residential IPs, doing pretty much what we’ve just described in the opening line.
There are good bots, of course, responsible for a huge portion of what makes the Internet so great by crawling, analysing and cataloguing data in search engines and antivirus companies. But like every decent story, there’s yin to the yang. Bad bots hack accounts, duplicate login credentials, and steal from e-commerce transactions.
What’s most dangerous about these bots, however, is the fact that they mask their activity by pretending to be human.
More frightening than that, they are undetectable to the naked eye, and even to most bot-detection software. Incorporated into larger organised botnets, both scale and damage are maximised. And sometimes, allowing them to pass the threshold into your personal digital space just takes a pair of free shoes.
Rather, and worse still, the empty promise of a pair of free shoes. Just late last year, Android users were offered a deal that was hard to pass up—receive a complimentary pair of sneakers, coupons or event tickets simply by installing an app and filling in your details for them to be mailed to your doorstep within two weeks. If you’re thinking you wouldn’t fall for it, 65,000 unwitting devices (as of June 2020) did.
With no apparent advertisements or monetisation scheme in place, it all looks like a harmless stint on the surface. In reality, users are getting a concealed browser program loaded onto their phones generating false ad impressions. On their end, battery life seems to be draining quicker than usual. To proper paying advertisers, the same host adeptly disguises the apps’ appearances to resemble that of legitimate brands and tricks them into bidding for the advertising space with the inaccurate click rates.
Not only then will the legitimate brands it imitates lose credibility on top of potential ad revenue, the ecosystem loses trust from all stakeholders. Ad fraud botnet Terracotta, unearthed and coined by New York-based cybersecurity company White Ops, has since seen a significant decrease in traffic after its takedown by Google. And this wasn’t even White Ops’s biggest operation.
Together with Google, Facebook and the FBI among several other partners, the team led the wipe out of 3ve, a sophisticated counterfeiting operation amounting up to more than three billion daily bid requests, and subsequently millions of dollars in losses. Specifically, more than 5,000 counterfeit websites spoofing over 60,000 accounts with digital advertising companies, and 1.7 million personal computers affected at its peak.
“To unravel the internal mechanics of such a fraud operation requires a multi-layered approach of real-time detection and prevention,” White Ops co-founder Tamer Hassan told Digital Guardian. “3ve was remarkably sophisticated. It showed every indication of a well-organised operation with best practices in software development. It exhibited reliability, resilience and scale, rivalling many state-of-the-art software architectures.”
These coordinated attacks don’t just stop at bad guys piloting bad bots to pillage the innocent.
The team of researchers discovered that 3ve operators were reselling fake traffic to third parties who wanted to commit ad fraud. And it’s easy to understand why; it’s one of the most lucrative crimes that simultaneously involves the least amount of risk. The World Federation of Advertisers even goes as far as to approximate how ad fraud as a syndicate, based on annual revenue, could soon become second only to illicit drug trade.
While we don’t necessarily have the capacity to harpoon these traffickers on our own, there are ways the ad-tech community can do their part. App publishers simply need to add an app-ads.txt file to protect their inventory from impersonation. Advertisers, apart from purchasing inventory from app-ads.txt verified sources, should ascertain that the ad verification partner has robust tag evasion defences, since advanced ad fraud malware has proven to be able to selectively avoid running code from ad verification companies.
As for the rest of us regular folk, it surely pays to be a little more careful with the downloads. More so when what they proffer is free because, chances are, they really aren’t.
Enjoyed the story? Subscribe to Esquire Singapore for more.