|
|
|
Podcast Transcript
Spyware Warriors: The Digital Underground (Part 2)
| Jeff Molander: |
Hello, this is Jeff Molander and welcome to part two of my candid chat with
Wayne Porter and Chris Boyd. Both of FaceTime Communications.
When we left off, Porter was just beginning to scratch the surface on potential
wider e commerce implications of botnets. That is, networks of zombie machines
used to execute attacks on networks and, of course, steal financial information
right off the infected users' computer screens.
Porter's thrust seemed to be that consumers are already starting to throw hands
in the air, and walk away from using the Web altogether. Even more alarming,
advertisers themselves, he says, are playing a role in all of this. Given that
they often participate in a variety of performance based media schemes like
"pay per click," "pay per lead," and "pay per sale" affiliate programs.
Sometimes these advertising campaigns are leveraged by the thieves running
botnets as a revenue generation tool. In essence, advertisers are funding a new
breed of internet criminal. So I asked Porter the obvious question: Why would a
big-branded advertiser get involved in funding criminals?
|
| Wayne Porter: |
Well, I think some of it is ignorance, some of it is negligence,
and some of it is a pressure to meet the numbers.
|
| Jeff Molander: |
Okay, fair enough, that's why, but how? Is it affiliate programs?
|
| Wayne Porter: |
No, actually, it's not affiliate programs, a lot of fault gets laid
at the affiliate industry, but they sort of help at the highest form of
standard. A lot of involves PPCSE (Pay Per Click Search Engines), pay-per-click
scams, where, you know, they're simply shuttling laundering traffic, or, you
know, that's where I think the concentration of it has moved.
The mobile industry, there's still problems there, but as you know from the
(affiliate network) Summit in 2000 in New York… it was the first industry to
really recognize it as a problem...and there are some rules of engagement.
Unfortunately, you know, it's a complex issue, I mean, for affiliate manager,
or e commerce manager, or a VP of e-commerce, this is a very specialized skill
set. So, you know, go do a media buy. Here's X amount of dollars. And they go
do a media buy, and they do that media buy through a broker, and you know how
it runs. And it goes through another broker, and that broker does a series of
buys across CPA or CPC or cost per lead networks, and these sites have not been
vetted well.
The next thing you know, these big brands are facilitating this kind of stuff.
|
| Jeff Molander: |
So how does this kind of stuff intersect with a botnet? Or does it?
|
| Wayne Porter: |
Well sure, sure, once you have a botnet, you basically have control
of the user's PC, so you can do what you want, I mean, you can...
|
| Jeff Molander: |
Yes, I'm clear on that, but what I'm not clear on is how does
participating in an affiliate program at some point possibly get you as an
advertiser involved in one of these botnets.
If I'm an advertiser out there, and I'm learning about all this scary stuff
that gets on a consumer's PC, is there a connection between an advertiser, say,
participating in a cost per action or a cost per click type of environment and
a botnet? What's the connection between the two?
Somehow getting people to my Website, and suddenly you're saying it's
intertwined with these botnets that are designed to seek and destroy, and
they're also designed to take money from the advertiser, sometimes due money
and sometimes undue money.
|
| Chris Boyd: |
I mean, a lot of advertising networks will get caught up in botnets
when these the hackers start pushing and it installs and installs onto the
infected PCs. And there is a tendency that I know from talking to a lot of
these guys, there's no sort of subtlety in the way they will install the
adware, they will just hammer it on a few hundred or thousand PCs in a very
short space of time, it's only the guys at the high end of the botnets though
that will actually program the bots in such a way that they will install the
adware that just about carries the money on a timed basis and also the fact
that certain advertisers and companies out there will check to see the
frequency that these are being installed and they really should notice if they
log a couple hundred installs over a ten or twenty second period, something
fishy is potentially going on there.
But by and large the guys running the botnets will just sign up to various
networks, programs, what have you, and just hammering installs, and it's only
generally when the botnet is actually caught, busted, dragged into public view,
that all the dirty laundry then comes out.
And everybody runs around saying… well why didn't this X Y and Z company
realize that they were exploiting the network in such a way, which we've said
time and time again.
|
| Wayne Porter: |
Jeff, I think the question that you're getting at is, does the deal
structure place or is that part of the risk? Obviously yes. If it's a cost per
sale type of program, you're fairly insulated, although, theoretically, you
could program a machine at night to go out and make purchases, you know,
fraudulent purchases, and ship them that doesn't really make good sense. Then
you go to the cost per lead structure, where you have the details, you program
the machines to go to a site and auto fill the form and submit it. And because
they're coming from different IP addresses, from different times, it can look
like a perfectly legitimate lead. The user has no idea.
So, cost per sale is obviously the most insulated, cost per lead you're going
to see more potential for risk, and then cost per click you're going to see the
highest increase well, I'm sorry, cost for impression, you're going to see the
biggest risk. All right, so that's scenario one, that's a direct interaction
with the merchant. Then you have affiliates who may be doing media buys through
some of this illegitimate software, and, you know, transferring the customer
that way, that's another area of exposure.
Again, in that person's mind the last thing they see is that pop-up, they see
that brand, name, you know, or, I was reading over some of the Direct Revenue
documents that are starting to surface where they had, I think it was, forty
five seconds was the popup speed, and they realized users were getting
frustrated so they turned the timing down to something like two minutes, but
they saw a huge money drop so they cranked it back up to 45 seconds. I mean,
imagine getting a popup every forty five seconds while you surf! Who do they
blame? They blame who they see in the popup they're going to blame the
merchant, because as far as they're concerned, they're the one doing the
advertising, so it really impacts their brand.
|
| Jeff Molander: |
Hmmmm, a little while ago, you were talking, Wayne, about click
fraud… cost per click advertising. I'm really intrigued by where you're going
with this, because what you're talking about is something I haven't read about
anywhere before as it relates to Google or Yahoo or any of the major cost per
click search engines out there, do botnets somehow intersect with cost per
click advertising, and is this a new click fraud concern that you're pointing
to here?
|
| Wayne Porter: |
I don't have a specific example off hand, but if you control the
PC, you can write scripts to emulate browsing and clicking, and you know, all
the major networks are going to tell you, "we have these sophisticated anti
fraud mechanisms in place." And they do have some anti fraud mechanisms in
place, but I don't think that they're getting it at all. I mean, definitely
not.
Google has even publicly said that this is a risk factor in our business, and
just now, I think I blogged about this a year and a half ago, about the rise of
the fourth party, you know, we're seeing firms emerge, auditing firms, who are
coming in and looking and analyzing the data, and analyzing, you know, click
speed, and other various factors that can tip you off that this is fraud. So
with a botnet, it becomes even more complex, because it's, we're talking, the
botnet may span the globe. So it really looks like legitimate user action, it
just depends on how sophisticated the zombie master is in his plans. Which
leads me into another alarming trend that I've seen, you know, first we've
seen, "let's build massive powerful botnets of 200, 300 thousand machines."
The word on the street is, a lot of these zombie masters are keeping their
botnets small, you know, 25,000 machines, 15,000 machines, can keep you in a
comfortable lifestyle… living, and have such a low footprint it's probably not
going to be detected. I mean, we've seen that, I believe, like, in one fraud
that was perpetrated in an affiliate network, they set up hundreds of different
accounts, so the money was filtering through all these different accounts. And,
you know, myself, having been in on the back end of an affiliate program, you
don't tend to pay attention to these small amounts of money, you're really
focused on your big hitters, and the big amount of money flowing through. So
they sort of launder it through a series of accounts. So they're getting to
they're quite sophisticated, and they're quite smart.
With a botnet under your control, it's spread across the globe, so it looks
like legitimate traffic. You can check the IP address, and it looks like a
legitimate user came and interacted with your site or interacted with the
click. And even more alarming -now they're building these smaller botnets which
are designed to evade detection, but now they're getting smart, because zombie
masters will actually steal botnets away from each other.
They're actually patching the user's machines, they're actually fixing the
user's machines so they can't be stolen away by another botnet. So they keep
firm control over their slave.
|
| Jeff Molander: |
Absolutely unbelievable.
|
| Wayne Porter: |
It's believable. It's unfortunately a reality, you know, we're just
now, it's now sort of bubbling to the top, and then you know, you throw
rootkits in there, and adware, and spyware, and you have this noxious brew
that's really dangerous to the consumer and it's really dangerous to the
enterprise. You're talking loss of productivity, you're talking trade secrets,
customer data the potential for loss is staggering. And it's a complex issue.
|
| Jeff Molander: |
I don't know if you realize it, Wayne, but a little while ago you
described a whole new level of the click fraud. As you just mentioned, Google
does recognize click fraud, rather vaguely so, but do advertisers recognize
click fraud? I've written on it in the past, I think they look at it, many of
them, not all of them, look at it as a cost of doing business.
Do advertisers even realize that they have a problem potentially larger than
people being hired out in India or some other country in Asia perhaps, to do
manual click fraud, where there are rooms full of people clicking on ads do
advertisers realize that this could be dramatically more serious than that?
|
| Wayne Porter: |
Right, I mean, we talk about click fraud networks. And you know,
those things, like, in the affiliate networks, are usually shut down fast.
Usually what happens is one individual discovers a way to scam, and he passes
it to his buddies, and they see it all come from this concentration of IP
address, and how they'll catch their signature and one piece of fraud might get
through, but they'll catch the rest.
You know, it's kind of funny, because affiliate networks, which really, they're
sort of held to a higher standard in some ways than the cost per click, the
large affiliate, I'm sorry, the large search engines. And then you get into…
when you touch base on the syndication partners, that's a whole other problem
we touched upon with the agency approach, where you have multiple layers of
people, I mean there's just a Web of people, offers are brokered, where, you
know, I'll take my ten percent and it's cut down, he takes his ten percent and
he takes his spread, and then, so, it's sort of ironic, you would think that
the internet would make e commerce relationships more efficient, but in reality
it's made them less efficient, and actually quite sprawling, to the point where
it's dangerous, where you don't know where your brand is ending up.
I think I've blogged on the Save Toby site, where the guy is threatening to
ransom the rabbit, he's going to kill the rabbit, if by X date, he doesn't get
this amount of money. And (on the site) there's a big Starbucks ad. And so I
emailed Starbucks, I'm like, you know, "do you endorse the ransoming of
rabbits?" You know? Starbucks pretty much blew it off but it was a large media
buy, they did across the network, and had no idea...you know, I do not think
that Starbucks really wanted to be on a site where a guy is threatening to
execute and eat a rabbit.
We had this big disconnect. Botnets are just another danger out there, and yes,
I definitely believe that botnets can be used for pay per click fraud. I don't
have any concrete examples I can give you. But if I can control your machine, I
can make your machine do whatever I want to do. Prime example let's go back to
all advantage. You remember that Jeff? The...pay per surf scheme.
|
| Jeff Molander: |
Vaguely, I do.
|
| Wayne Porter: |
Very quickly, the value proposition was, you have the Alldvantage
bar, and you watch ads, and you're paid a certain amount. And very quickly, the
hacker community responded, and it was called, "get paid to sleep," because
they wrote sophisticated scripts to emulate surfing activity that looked very
natural, that looked completely natural.
There's no reason to believe that with a compromised machine, that you couldn't
do this to a consumer, especially if you want to do it in the wee hours of the
morning, when people probably aren't awake or they're probably not seeing it.
That's one way we discovered that they were giving their technology, that was
so safe and secure, they said but what was happening was they were using the
sim keys attack, where the unit would pop up for a fraction of a second, and
the user was glancing away from the screen, or if it was done at 3 AM, they
never saw it installed on their machine. And they're SO sophisticated. We have
downloaded malware and let computers sit overnight, and we've seen the malware
install 12 hours later, 24 hours later.
So you're infected, you're walking around with this infection, it doesn't start
doing its damage until hours later; and you have no idea; none whatsoever.
|
| Jeff Molander: |
Well unfortunately we're just about out of time here, but thank you
guys both so much for taking the time to chat. And I hear there is a new
Spywareguide.com blog of some sort, is that right?
|
| Wayne Porter : |
That's correct, my e commerce manager Michael informed me as my
reward for being an MVP is I'm not going to be in charge of our global blogging
initiative. I was hoping for a salary raise, so I got my work. But, it's
actually very exciting, we are re-launching spyware guide very shortly, and
it's kind of tough, because we have a broad variety of people in different
diverse businesses, and I'm fortunate that I have a broad variety of people who
are dedicated toward one thing.
The problem is that their average IQ is about 140, so they're really smart
guys, so we plan to explore a number to choose from, peer to peer, which we
consider a greynet, instant messaging, which, again, we see these all as
greynets. They're not all necessarily bad, in every case, and are not
necessarily good. It just depends on your situation.
The same with shopping applications; I mean if you really want that shopping
application, and as long as legal means are obtained to get it, you can have
it. But, if you're on a corporate network, they tell us quite plainly, we don't
want shopping applications on our network, period that's a productivity impact
tool, or that's an information leakage tool. So, you know, we are covering the
gra net sphere, IM, peer to peer, how we conduct research, specific research…
that we're doing.
A little bit of the personal facts about our researchers, that's another
exciting thing: We have guys from Bangalore, India, from U.K., from Belgium,
from West Virginia, so we have a really diverse crew of very, very intelligent
people looking at a wide variety of problems and angles and talking about what
we see.
|
| Jeff Molander: |
And you guys do see some really interesting things, and you I know
can't talk too much about some things you see that you turn over to Federal
authorities for further investigation, and that's led to some really big news
actually, with some things looking like they're pointing to legitimate Middle
East cyber terrorism, and I won't ask you to talk about that, but I will ask
you to maybe share something that you saw that was, I don't know, unexpected or
humorous or interesting, that's colorful.
|
| Wayne Porter: |
Whenever we see something we give it to the proper authorities and
that's all I can say. There was the Middle Eastern botnet bust, and it was a
sensitive matter, and I can't really say what we do, except that we're a
responsible company, and when we see things going on, we report them to the
appropriate authorities. We really uncovered some shocking things, some things
that we expected and some things that we didn't expect and some things that
were completely bizarre, like, Chris, the Mr. Bean movies.
|
| Chris Boyd: |
Yeah, we found the hackers out in the Middle East who were installing their own
version of BitTorrent, which is a method of sharing large files, in a very fast
manner they basically created their own version of BitTorrent, they were
installing that on hacked PCs, and piping lots of Mr. Bean movies to the
infected PCs so....
|
| Wayne Porter: |
Yeah, I don't know what kind of statement that was meant to make,
Jeff, or if that was just sort of a "we can do it" more than likely it's a
probe to see how far we can go. If we can upload our own mangled version of
BitTorrent and give you Mr. Bean movies, who knows next thing you know we can
give you propaganda, or we can take over your PC, or we can execute a bundled
attack. There's just no limit to the problems that can occur.
|
| Jeff Molander: |
Well all right guys, we're at the end, I really appreciate your
time. Again, I'm really hoping, I'm fantasizing, that we can do this again
sometime, because you guys are just involved in some really interesting,
fascinating stuff, I don't know what other words to use. Hope we can do this
again, and really, again, I appreciate your time. Thanks.
|
| Chris Boyd: |
Thank you, Jeff.
|
| Jeff Molander: |
And I hope that YOU have enjoyed this program. Feedback is always welcomed to
Jeff at Thoughtshapers.com.
And if you're interested in becoming alerted to future podcasts, just send me
an email. Again, that's Jeff at
Thoughtshapers.com. Our archives can always be found at
Thoughtshapers.com/podcasts.
|
Transcription by
CastingWords
|
|
|