×

Banks vulnerable to ad fraud 'zombie army': Report

Networked computers
Yagi Studio | Getty Images

A new report claims that some of America's top financial organizations have without their knowledge become compromised by an ad fraud "zombie army" that will cost advertisers an estimated $3 billion by the end of the year.

Fraud intelligence platform Pixalate released research Wednesday about Xindi, a botnet that it believes has taken over as many as 8 million computers in more than 5,000 legitimate organizations. The group includes 10 percent of Fortune 500 companies, 200 financial and government organizations, and about 1,500 university networks.

Pixalate said that some Internet Protocol (IP) addresses — or numbers identifying devices that belong to a specific network — from Wells Fargo, Citigroup, LPL Financial, Bloomberg and Morgan Stanley machines seem to have been infected by Xindi. General Motors, Lowe's and Marriott International also made the concerning list. Pixalate added the companies have a "critical" or "high" likelihood of being infected, but also acknowledged that there is a small possibility that the botnet orchestrators are masking activity to make it seem like it is coming from these sources.

"When we look at IP addresses infected by botnets, generally they are owned by Internet services providers from regular households," said Pixalate's CEO, Jalal Nasir. "This one seems that they belong to reputable organizations. That's the concerning part."

Three of the companies mentioned commented on Xindi. LPL said it was aware of the report and was currently analyzing it. However, the company's internal reviews and external cybersecurity experts had not found any areas of concern, LPL said. GM and Wells Fargo emphasized their commitment to providing layered protection for their corporate and consumer networks, but offered no further comment at this time.

Sources at several companies told CNBC they hadn't discovered the alleged botnet in their systems, and when they asked Pixalate to share information on infected IP addresses, the company declined to offer more details.

Pixalate responded with the following: "Pixalate has spoken with all companies that have reached out and has provided them with the information they have requested."

Botnets or "zombie armies" are a group of computers that have unknowingly been taken over by a remote source for nefarious purposes. Usually computers are "infected" when users visit websites with hidden "Trojan horse" viruses and accidentally download programs that allow others to control their device. Panda Security estimated that close to 40 percent of desktop PCs are infected with this malware.

In the case of botnets used for ad fraud, the orchestrators make computers surf the Internet even when the real user is not using their device. This makes companies think that this specific person is going to various websites and seeing their advertisements. Brands pay for each ad "impression," even though it is just a computer program seeing the content. The Association of National Advertisers and security firm White Ops estimated that fake ad traffic will cost advertisers a total of $6.3 billion in 2015.

"Ad fraud is the new robbery," said Maor Sadra, managing director of AppLift, which helps mobile app advertisers find users based on how active they are in using the app.

Sadra said ad fraud can be easy to detect if you can find patterns in online behavior, for example extremely high click-through rates or a large amount of traffic coming from one area. However, every time companies discover something amiss, the perpetrators find a new pattern.


What makes Xindi especially dangerous is that it has the ability to delay when the impressions are recorded for up to three to six hours, therefore making it more difficult for networks to find suspicious patterns. Also because the traffic is coming from reputable IP addresses that are likely to be real people, these "impressions" are considered premium and legitimate — driving up their cost for advertisers.

"By that time, it's too late," said Nasir. "If you have figured out a machine has been compromised during some fraudulent activity, you can stop (paying for those impressions). But what if the machine saw ads, but delayed acknowledgements for three to six hours? By the time the advertiser gets the notification, it may have been bidding on those same users."

Quinn Sanders, director of product solutions for video programmatic platform Videology, said while it may be disturbing that computers in these companies may be infected, most ad fraud botnet orchestrators are not interested in people's personal information. They just want to control their computers in order to drive fake traffic. (And indeed, Pixalate does not allege any consumer data has been compromised.)

"The average consumer is most important to a botnet as a node in a botnet," Sanders said. "They aren't as interested in the personal information of your Uncle Joe in Kansas City."

However, he pointed out the public should be concerned not only because of the loss in funds for these corporations but because many of these scams are used to fund organized crime syndicates.

"A lot of them have abandoned credit card and banking fraud, and have gone into digital advertising fraud because the U.S. has no jurisdiction over the countries where this is coming from," he said.