Confiant Threat Intelligence Team • 7 minute read
Ad-Based Financial Investment Scams - Part III
What is Being Done to Prevent Ad-Based Investment Scams?
In Part I and Part II we discussed how Ad-Based Investment Scams have become a worldwide problem with significant losses to individuals, very few laws regulating these scams, and lagging actions by authorities and financial institutions; all of which leaves law enforcement and fraud departments with minimal incentives, or the authority, to take action. Now we will examine what organizations are attempting to do about the problem and what else can be done.
Complexity of Investment Scam Designs
Criminals who design ad-based investment scams are very sly and devious about their designs. They are fully aware of the possibility that their scams may be discovered and stopped at any point during the scam. So, they created redundant designs that can recover or can be easily rebuilt whenever they are discovered or stopped. Those designs also draw in anyone trying to stop them to “Whack-A-Mole” situations (a game that is designed to make them lose), where new scams appear as fast as old scams are stopped.
The first section of the design is the advertising loop that we call the “Ad Whack-A-Mole” because of the difficulty it creates in stopping and eliminating the ads that lead to the scams. The second section is the Legal Entity Factory or “Financial Whack-A-Mole” as we call it because of the difficulty it creates in stopping and eliminating financial fraud. Each loop is designed to make it difficult for responsible ad tech and banking fraud prevention departments to find and stop the false-front ads, the fraud activities, and the actual transfers of funds from victims. Whenever a portion of the scams actually do get blocked, threat actors recreate a slightly different ad or financial entity with nearly identical functions as the previously blocked scam, and they start the loop over again. Each loop is designed to be autonomous but acts in unison, in order to hide identifying that they are linked.
The Ad Community's Part
As with many problems facing the marketplace, there are often many different viewpoints on how to fix the problems and who is responsible, or who is in charge of implementing those fixes and remediations. The advertising community has long been aware of the ad-based financial scam issue. Over the last few years the news media has exposed that the rate of occurrence of scam ads is on the rise as is the quantity. It would be difficult for any Platform, Publisher, or even well-known celebrities to say that they are not aware of the issues as all have been affected or accused of somehow being involved in these scams. Not only have cases and incidents become well publicized, but most have received complaints from victims who were scammed out of funds, because they couldn’t differentiate between the malicious scam or cloaked ads, and legitimate ads with both rendering side-by-side on the same well-known and trusted websites. The same can be said for legitimate endorsements from those same celebrities. The victims either trusted the website where they viewed the ad, or the representation of a trusted celebrity name or face before they clicked through to the scammer’s trap. Either way, the scams clearly degrade the reputations of websites and brands that are reliant on legitimate advertising revenues as well as causing loss of trust from their audiences. That has impacted the reputations and revenues of the advertising community.
Recently, Google announced that they will require that any company advertising financial services on the Google search engine (in the UK), must be authorized by the Financial Conduct Authority (FCA). While this sounds like an admirable first step, considering the fact that Google is the largest ad tech platform in the world, this is indeed a very small step focused only on the UK audience, not the entire public Internet where Google’s search engine dominates. Also, Google’s new requirement only affects those ads actually offering financial services within the ad itself (only a portion of the scam ads actually advertise financial services, many others draw victims to the threat actor’s websites where offers of financial services are not easily observed).
The results? Since the Google announcement, the quantity of ads with security violations, many leading to financial scams, has increased within the UK as well as worldwide. Unfortunately predictable given the arms race nature of the cyber security cycle where every action, even preventative ones, will attract more sustained attention from an ever larger group of bad actors who interpret attention as opportunities for malicious profit. In our Malvertising and Quality Index (MAQ) report for Q3 2021, Confiant reported that the overall worldwide ad security violation rates nearly tripled over the prior quarter’s rate, now the highest level in over a year. The MAQ reported large increases in ad security violations over the Q2 2021 rates throughout Great Britain, France, Spain, and Germany. For that period, Google’s worldwide sell side (SSP) ad security violation rate exceeded the industry average by 48%. While many of the other top SSP security and quality violation rates in the same report showed improved vigilance around reducing those violations, Google slipped into second from last place among top SSPs, as due to their size they have borne the brunt of this new attack cycle. A recent MIT Technology Review found that tech giants Facebook and Google are paying millions of ad dollars to bankroll clickbait actors with their engagement-driven algorithms that amplify and monetize inflammatory content, fake news, and misinformation, fueling global misinformation though, so the reality is more nuanced than this just being about the bad actors going after the biggest until their defenses catch up. The Ad Ecosystem has the ability to prevent ads with security violations from appearing on sites, but they need to change their tactics and employ technology that creates transparency and control if they wish to combat the malicious ads.
Some Publishers and Ad Platforms in the community had begun to tackle the problem, by implementing ad threat intelligence reporting and blocking solutions in order to prevent the scam ads from appearing on their websites. The attackers had until recently focused primarily on compromising display ads, but over the past two years malicious activity has surged in all the other media channels too (search, social, native, video etc). Depending on the technology and expertise of the threat intelligence solution implemented, scam ads that lead to financial scams aren’t always recognized or exposed. Because, as discussed earlier in this blog post, the ads themselves do not always trigger ad security alerts and may be considered safe by typical ad threat scanner solutions. It takes a well-designed, savvy combination of real-time scanning technology, as well as seasoned expertise and knowledge of the solution designer threat intelligence staff to create a solution that automatically identifies the most dangerous scam ads.
Those that have implemented the best solutions and the best practices have already delivered protection to their users and achieved reduced ad security violation rates that are lower than industry averages, even during periods of increasing worldwide security violation attacks. Individual cases are identified in Confiant’s ongoing MAQ report series.
The Government's Part
Different government entities vary in their approach and enforcement of ad-based financial scams around the world. In 2016, the UK created and launched the National Cyber Security Centre (NCSC), to help make the UK the safest place to live and work online. This is part of the UK’s attempt to thwart online security threats. But, fast-forward to articles like this one in the Economist, November 27 2021 “Scams and fraud are criminally under-policed in Britain” are still reporting increases in criminal activities with limited police activities to counteract the increasing onslaught of criminal scams. Government activities have not been without results though, with multiple different reports in January 2022 stating that the Russian intelligence service (FSB), in cooperation with reports from United States threat-intelligence identifying the culprits in several high-profile ransomware attacks, arrested the suspected leaders of the notorious international ransomware gang REvil. The Russian FSB and Russian Ministry of Internal Affairs statement indicated that their combined efforts have neutralized the information infrastructure of that criminal organisation.
Tangential to ad-based investment scams, the UK’s Action Fraud, national reporting centre for fraud and cyber crime, revealed on November 22, 2021 that 28,049 shoppers were scammed out of approximately £15.4 million when shopping online over the prior 2020 Christmas period. That’s in addition to the £1.6m lost to online charity fraud scams during 2020, reported by the Fundraising Regulator, the Charity Commission for England and Wales, National Trading Standards and Action Fraud, who joined forces to warn the public of ad-based charity scams, which increase every year during the Christmas Holiday Season.
On October 13, 2021 the US Federal Trade Commission (FTC) included a clear message to any businesses that pitch money making ventures, that if they deceive or mislead consumers regarding potential earnings, the FTC will be ready to hold them responsible with every tool at its disposal. This lays the foundation for US enforcement authorities to pursue financial scams advertised to the public.
In Australia, some regulatory entities have begun to hold businesses accountable for losses of consumer personal information and financial fraud losses, if they do not adequately protect those consumers from fraud or safeguard their data. The Australian regulatory entities include: Australian Competition and Consumer Commission (ACCC), Australian Securities and Investments Commission (ASIC), Office of the Australian Information Commissioner (OAIC), and Australian Cyber Security Centre (ACSC) among others. In addition, Australia has created laws against paying ransom to cyber criminals under their AFP, DFAT, CDPP laws.
Well-known celebrities have joined forces to object to the use of their likenesses and names (or brands) being used in these scams by demanding that the UK Prime Minister, their government and law enforcement take action against the fraudsters and the malvertising. In November 2021, MSE News, NewsChain, the Metro and others reported that Martin Lewis, Sir Richard Branson, Deborah Meaden and other public figures issued a plea to the UK’s Prime Minister to put scam ads in the Online Safety Bill.
The Bank's Part
According to the banking trade body UK finance, there was a 71% increase in reported cases of financial scams in the first half of 2021 over 2020 amounting to more than £355 million in total losses. Criminal scams accounted for £4 million in daily losses for the first half of 2021.
In the UK there is a voluntary program that was instituted in 2019 whereby participating banks will reimburse their patrons who became victims of Push Payment Fraud (which includes the Ad-Based Financial Scams discussed above). However, in a November 18, 2021 Daily Mail article, there were several reported instances where the same banks that joined the voluntary program were not actually treating scammed customers fairly, and issues took several months to be settled by the UK Financial Ombudsman. In some cases, banks offered less than half of the stolen funds to customers or rejected their claims completely, based on the bank’s interpretation of the regulations of the program. The Daily Mail article reports the case of an elderly couple, the Brodies, who were scammed out of £21,000 by scammers posing as banking employees. Their bank offered only half of that amount in reimbursement, and the Brodies had to wait eight months before their complaint through the Financial Ombudsman finally settled in their favor.
As a result, some authorities in the UK have begun to create regulations that will hold financial organizations responsible for the mandatory replacement of funds lost to victims of financial scams if the organizations do not adequately protect and warn consumers in advance of being scammed. Those financial organizations include banks, building funds, credit card companies and some financial institutions. Regulatory authorities changed from a voluntary to a mandatory program in order to make financial institutions become fiscally responsible for the problem. They want financial institutions to take action as well as responsibility to protect their own customers and also do more to prevent the financial scams and fraud. Those recent changes in the rules of the program will now make reimbursement by banks for their scammed patron’s losses mandatory, and may also include fines if the banks are not treating customers fairly. The new mandatory program will force UK financial institutions to have financial “skin in the game”.