How fraudsters are committing malvertising by targeting VPN users

A report by the Digital Citizens Alliance, White Bullet, and Unit 221B has found that malicious ads are being used as scare tactics to bombard users into downloading malware, including ransomware that takes over files to force victims to pay to regain access. 

The report found that these malicious ads, called malvertising, are often enabled by ad intermediary companies that promote scare tactics and other dubious means to trick or entice users to click on dangerous ads. 

Piracy operators, malvertisers, and ad intermediaries target users by luring them to suspect sites with the prospect of free content. For example, the report above referenced a ransomware attack that occurred on a piracy site users where users were prompted to click on an ad but instead found their files locked, followed by a demand to make a payment to regain access. 

To prevent themselves from falling for such tactics, users may turn to virtual private networks (VPN) when accessing public WiFi hotspots by installing VPNs on all their devices. In addition, they are also attracted by how VPNs can be a tool against surveillance or be used to view geographically restricted content. 

However, Gavin Reid, vice president of threat intel at Human, warns that users should use reputable VPN providers, instead of free versions. They should also remove them from inclusion lists because they could potentially be facilitating cybercrime like advertising fraud.

He notes that in the digital landscape currently, bad actors take advantage of others looking for cheap or free VPNs to avoid scrutiny or geo-blocked content. 

"When users install a free VPN solution, they don't know that the same evil people can now use their device to proxy traffic through. Additionally, users are also at risk of having their data compromised. Unfortunately, this type of fraud has become a big business allowing people to sell these services, often labelled residential proxies," Reid tells Campaign Asia-Pacific.

"As the traffic is coming from a real user on an actual device, simple exclusion lists won't be able to detect and mitigate it. To protect against ad fraud, in such cases, you would need capabilities that go far beyond simple IP block lists, which can smartly include multiple markers and threat intelligence to understand what is making the connection." 

Clockwise from left: Charlie Johnson, Nick Stringer and Gavin Reid

On the other hand, Charlie Johnson, vice president of international at Digital Element, argues we cannot ask people to turn off their VPNs as they are ubiquitous.  

While she acknowledges bad actors use VPNs to commit ad fraud, there are also legitimate reasons why a person might be using one. The impact on the customer experience of taking a blanket approach would negatively affect a brand. 

"Instead, advertisers must find solutions—such as IP intelligence—that mitigate the problems VPNs cause while protecting UX. Taking a more nuanced approach—monitoring and evaluating traffic to separate the good from the bad and flag any potentially suspicious activity—allows brands to protect themselves and their audiences," Johnson tells Campaign Asia-Pacific.

How advertisers can identify the source of fraud

Unfortunately, simple exclusion lists will not be able to detect and mitigate these kinds of fraud schemes. Advertisers would need capabilities that go far beyond simple IP block lists.

For example, as a starting point, advertisers could try to manually investigate the user interaction at various stages to better understand where their fraudulent traffic is entering. According to Reid, advertisers should also consider investing in third-party software or engaging with vendors who can defend against ad fraud, especially when fraud is rapidly evolving.

"Both options bring expertise in detecting ad fraud, as they can investigate thoroughly and prevent these threats from occurring," says Reid. 

Trustworthy Accountability Group (TAG), a global initiative created by the American Association of Advertising Agencies, the Association of National Advertisers, and the Interactive Advertising Bureau (IAB), has been working to stop criminal activity and increase transparency in digital advertising. It has a 'Certified Against Fraud' programme that requires filtering data centre IPs to catch any potential threat delivery mechanisms from VPNs used to commit ad fraud. 

"Brands and advertisers should work with companies certified against fraud and accredited traffic validation services to help separate traffic from real humans from fraudulent, non-human/invalid traffic," Nick Stringer, vice president of global engagement and operations at TAG, tells Campaign Asia-Pacific.

Johnson says VPNs are here to stay. After identifying bad actors, a company can take the necessary precautions to prevent any future attack that uses the same method and flag any traffic that follows similar patterns, such as using a particular type of VPN. For example, no-login VPNs are often used for nefarious activities. 

"Where there is a will, there's a way, and ad fraud has long suffered from this. Again, it highlights the importance of constantly detecting every IP to determine whether a VPN is using it. While we will never be able to stop ad fraud completely, we can slow it down and mitigate the consequences," Johnson explains. 

Taking on the massive network of zombie bots 

Advertisers in the TAG 'Certified Against Fraud' programme work with intermediaries who, in turn, are working with anti-malware companies to monitor all the digital ad creatives they serve and the landing pages for those ads. The monitoring by intermediaries makes it more difficult for criminals to build 'zombie' bot networks.   

TAG is in the final stages of drafting the advertising industry's first 'Malvertising Taxonomy' calling free VPNs a threat. This draft is aimed at making the ecosystem's defences stronger, not just against this type of malware but any threat of a cyber nature. 

In addition, advertisers could also utilise Ads.txt to improve transparency, says Reid. Ads.txt is essentially a digital agreement that authenticates legitimate publishers and brands, minimising the risks of advertisers falling prey to ad fraud.  

Ads.txt is also integral because advertisers actively monitor their networks to detect unusual activities.  

"Developing such a practice helps advertisers understand the regular baseline traffic so that any deviations get immediately addressed," explains Reid. 

Once advertisers can track, monitor, and evaluate the locations tied to the users interacting with their campaigns, they can cross-reference these with their campaign targets to see if the two align. If they don't, that is one sign of potential deception. 

"Advertisers can also identify other suspicious patterns, such as excessive clicks occurring within a specific timeframe or radius. Examples of excessive clicks include a click farm that works for mobile phones. For example, if a mobile IP address never shows any signs of moving, this is suspicious as most people keep their phones with them as they go about their day," says Johnson. 

"Finally, if the entrance and exit nodes of an IP address used by a user are different—entering from one side of the world and exiting conveniently in the region of an ad campaign—this could be a fraud. After all, that's a long way to travel in just a few seconds." 

Preventing bad actors from capturing consumer data

Education will always be the best kind of prevention, whether this means recognising the critical signs of a phishing attempt like lousy grammar, inaccurate email addresses, unfamiliar greetings, or unusual and urgent requests, according to Johnson. Often it is the most straightforward practices, like knowing how to build a strong password, that is the most effective.

"Other go-to steps include keeping software up-to-date, employing the proper security software, and paying particular attention to the terms and conditions, particularly the permissions and access rights of any new mobile app or browser extension a user is looking to install," adds Johnson.