On the Importance of Fostering Good Communication with Security Researchers

Ad fraud is the biggest cybercrime, yet it gets almost no attention from security researchers. It is clear why security researchers do not want to be part of countering ad fraud activity, but it is not so clear what the advertising technology industry is going to do about this vital issue amplifying and perpetuating the ad fraud problem.

header graphic courtesy of: http://feinobi.deviantart.com

AD FRAUD GETS COVERAGE IN A MAJOR SECURITY “CON”

On this past weekend, for the first time in history, someone from outside of advertising technology, was dedicating a talk to cover ad fraud research in a major security conference. It was very valuable, but not good in any other sense. Here is the overview of the talk:

VERY SHORT VERSION

The event is Schmoocon, which is considered as one of the most important security related conferences of the year. This article will cover two points:

  1. the behaviour of advertising technology companies have to change
  2. the necessity of security researchers to be involved in ad fraud research

These two are closely connected, where in effect the first one is preventing the second. For this reason, ad technology industry desperately needs to foster good communications with infosec researchers.

The four advice I want to give to advertising technology companies in this respect:

  1. stop being a factor of great harm in the internet and the society
  2. show sincere concern for the present and future internet and its role in the society (beyond just thinking about advertising)
  3. communicate the actual problem and your own involvement in it clearly and without delays
  4. when making claims, make them as truthfully as possible, and if there any doubts with what you are claiming, be clear about your doubts as well
  5. when making “true” claims, provide evidence. Without evidence it’s as good as any other claim, and should be presented as marketing

Here is the talk: https://www.youtube.com/watch?v=xEqtgkkNgxQ

You can find the link again as part of the full story below.

THE FULL STORY

Ad fraud is a security problem and advertising technology companies do not know security. Not even if their life depended on it. On the contrary, it is these “adtech” companies that pocket most of the revenue created from ad fraud. This has helped ad fraud to rapidly grow in to #1 cybercrime, and a top10 ranking form of organized crime.

Instead of having made ad fraud research attractive for security researchers over the past year, where most ad fraud related claims by vendors were made without any substantial evidence, climaxed with Pixalate’s made-up Xindi claims, and the coverage that it got among security researchers.

Here is a candid example:

Pixalate made it 5 times to the Cyber Krampus list:

Other companies that made it to the list with more than one entry include Hacking Team:

No other company that made it to the list have 5 entries. This is evidence to one of below:

  • Pixalate made researchers pissed off more
  • Pixalate made more researchers pissed off
  • Pixalate made the wrong reseachers pissed off

Hacking Team is very well known, so it can’t be the first. My guess is that in this case it’s mostly that Pixalate pissed off the wrong researchers, and pissed them off good.

At the moment botlab.io has three primary concerns:

  • the fact that the largest beneficiaries are adtech companies
  • the actual capabilities of anti ad fraud vendors vs. their claims
  • the ability Interactive Advertising Bureau (IAB) has to fight fraud

Xindi-gate highlights each of these three aspects. It started with a vendor that is putting its own monetary gain ahead of everything else, making serious mistakes at the cost of others, and then having not a single adtech company or IAB call Pixalate’s behaviour as how it appears when investigated.

AD FRAUD IS A SECURITY PROBLEM CAUSED AND BENEFITED FROM BY ADVERTISING TECHNOLOGY COMPANIES

There is no question in my mind if ad fraud is a security problem or not. To simplify, ad fraud problem is made up of three individual problems:

  • botnet problem
  • spam problem
  • The problem

What the ad industry calls traffic, which is kind to the advertising industry what doping (and especially EPO) is to competitive sports, is ultimately botnet traffic. That is totally a security problem.

Advertising technology companies will not know how to solve it. This should be clear from the example Pixalate gives us with Xindi allegations and aftermath. When it comes to advertising technology, Pixalate is a company that is supposed to be “cutting edge” in terms of understanding and countering botnets.

For security research, my argument is that there is no better source of data for wider research purpose than advertising technology companies. An average adtech companies may handle 1 billion http requests per day, and it seems safe to assume that in any case 20% of that is botnet traffic. The entire programmatic ad eco-system is about 200 billion events per day, and there is a very high level of redundancy in terms of many companies being part of one event. In many cases you will have a company, either a network or publisher, where its botnet traffic more often than not.

The money is made mostly on what we refer to as spamsites, basically sites that deliberately have some form of ad fraud as part of their business model. Many spammers are moving from email to websites and ad fraud. It is at the moment the highest yield way for converting http requests in to revenue. Spamsites therefore too are a security focused problem. Not to mention the connection some of these sites have with spreading malware.

The behavioral problem in this case relates to poor practices that keep poorly secured programmatic advertising eco-system vulnerable to high exposure rates of ad fraud. To be more precise, poor understanding of security and poor practices, act as causes for poorly secured eco-system. Increasingly this means poorly secured internet.

Because ad fraud is a security problem, and is primarily caused by the advertising technology industry, the best people to help ad industry with ad fraud are security people.

If we can agree that ad fraud is a security problem, then we have to evaluate four important points in this respect:

  • adtech people are not incentivized to deal with the problem
  • adtech people are (mostly) not equipped to deal with the problem
  • security researchers are motivated to solve hard problems
  • security researchers are already savvy with security research

The first issue with ad fraud is that it’s poorly understood within security researchers. It is not clearly undestood what a fascinating problem it actually is and how hard of a problem it is. I understand that this is not possible before there is a substantial change in the effect internet advertising industry has on the internet.

In my opinion, more than anything, ad fraud desperately needs the attention of independent security researchers. People who are skilled, have genuine concern for the internet and are not too depedentent on anyone else’s agenda.

Security researchers are not only NOT interested in ad fraud, but commonly exhibit animosity towards anything that has to do with internet advertising and associated companies. When we started botlab.io about a year ago, after having had discussions about it for years, this is the first problem that we formally identified as causes for ad fraud research to have the poor state it does. Because of the way internet advertising industry had on its terms changed the internet, it is not surprising to find those that care for it disassociate themselves from something that they see as a destructive force.

In a Q&A after his recent Schmoocon talk, to answer the question “why security researchers don’t care about ad fraud?” the researcher candidly replied:

“Because they are the cancer of the internet and fuck up everything they touch”

Then everyone in the audience laughs. Here is the video to the full talk. Regardless of all the profanity, it is essential watching for any aspiring ad fraud reseacher. Also for anyone who wants to get a feel of how advertising technology industry is discussed within well respected security researchers, this talk is pure gold.

So where is the advertising technology industry with having security researchers interested in ad fraud? I think in this case it’s fair to argue, and somewhat quantifiable, that its further than ever before.

Over the +20 years I’ve been actively involved in the internet as a researcher and developer, spending most of my waking time somehow related to it, I’ve come to see how something wonderful with a promise to make a better world was systematically turned in to what on the surface seems little more than a giant soap selling machine.

HOW DID THE ADVERTISING TECHNOLOGY INDUSTRY REACT TO PIXALATE’S LARGERLY MADE-UP XINDI CLAIMS

What happened with Xindi is not ok. What Pixalate did is not ok by or in any measure. The video attached to this article covers just the beginning of what Pixalate did wrong or did not do as one would reasonably expect. The programmatic part plays just as poorly as the security part as told by @da_667. In short, it is not at all ok to create a media frenzy or panic within major companies by saying their networks are infected.

What really makes this case difficult, is how Pixalate until today has not provided evidence to their claims. I have personally done what I reasonable could to try and convince them to provide something.

Did anybody in advertising technology call the mistakes in association with Xindi the Botnet? You got it right, nobody did.

Some vendors made statements to leverage the bogus claims made by Pixalate for their own marketing purpose. This kind of actions only gave more voice and perceived authority to Pixalate’s made up story.

In the case of advertising technology industry, the trade body that is supposedly charged with the vendor side of things, is IAB. IAB said nothing critical about what had happened, nor did TAG, IAB’s collaborative counter fraud iniative.

IAB’s CEO recently suggested that “ad blocking companies are sued out of their business”.

Elsewhere IAB compared profiting from ad blocking to a highway robbery. I think that under closer inspection it is far more convincing to argue that it is IAB’s members that are profiting from something that can be compared to a highway robbery.

While IAB is known for making strong statements elsewhere, failure to comment the issues with Pixalate’s claims on Xindi is more or less as complete as it could be.

Either they didn’t get it, or they don’t care.

Advertising technology companies have the choice of becoming a factor in the solution for ad fraud and the threat it creates to the society. That choice means initially becoming fully aware of its own involvement in ad fraud, admitting its involvement and based on that taking actions to reduce that involvement. Fight against ad fraud at this point does not mean “to go after criminals” or to make claims about finding new malware or botnets. It means to clean up the advertising technology industry.

For the advertising technology industry, the infosecs already loathe, the big challenge is its desperate need to attract the people that loathe it to solve the problem it in itself has created. A problem that has become a clear threat to internet and society, while “adtech” is completely out of its league in its alleged attempts to create solutions for countering it.

With various aspects inevitably expanding the ad fraud market roughly an order of magnitude over the next decade, it is not impossible that by 2025, global ad fraud revenues are greater than cybersecurity revenues. IMO that is not the world anyone of us wants to experience. In any case, by 2025 ad fraud will be the second largest form of organised crime right after drugs and ahead of human trafficing.

#GG #JOINFAST


More like this on Twitter — @mikkotila