This article helped me understand the junk/spoofing emails I get. Emails that say things like "You have 2 messages from Fedex" etc. When I looked into them a while ago, the simple javascript redirect was easy to figure out (they all concatenate numbers from an array onto a string and redirect to a string). The redirect is always to a php file, often embedded using bad wordpress installs. The php then does more redirects. At first, I was able to get to the redirect, but lately my crude manual attempt fails as explained by the article: the redirect code goes to pains to filter out "researchers" from genuine spam targets.
I think there are two classes of victims, though. Ordinary users like me are the obvious ones, but I think that the many shady business that are presumably paying these malvertising agencies are unlikely to be getting much value for their bucks. Too bad the article doesn't have any information on the revenue return of a malvertising campaign.
>These criminals are hijacking programmatic advertising and giving publishers a bad name.
>Our sole focus is on helping advertising platforms and publishers rid the world of malware.
Getting rid of malware is good, but giving web advertising a bad name also sounds good. Advertising/Propaganda or whatever all act to try and manipulate people's behaviour. The term 'Mind Virus' comes to mind.
I am amazed at how structured the operation was. Is there any estimate as to how profitable a campaign on this scale (or any scale for that matter, I do not know where money enters into the equation)?
Author here, we don't know their profit, but we estimate that they've spent about $220,000 through 2017, which is fairly cheap if you want to blast 1 billion malverts across the interwebs.
Ad spent estimate seems to be very low. Most players operating out of Russia often spend 10-20K a day, so 200K is just 10 days worth of adspend. But such guys often have 10-20 people working for them on <$1-2K monthly wage. (For Russia/Eastern Europe or heck South Asia it's quite good)
ROI on such campaigns can be anywhere between 150-600% or even more.
Thanks for the response. Really to bad that one doesn't know how much the profit was. The setup seems pretty sophisticated from a business standpoint. Does one generally suspect traditional organized crime groups to set these things up, or are these done by smaller, newer groups?
Fig. 11 of this analysis links the operation to an address in Kiev. Given the level of sophistication described, it seems likely that this was done by (or at least with the support of) an intelligence agency; I would bet on this having been a project of the FSB.