reader comments
12 with
Thousands of websites belonging to US government agencies, leading universities, and professional organizations have been hijacked over the last half decade and used to push scammy offers and promotions, new research has found. Many of these scams are aimed at children and attempt to trick them into downloading apps, malware, or submitting personal details in exchange for nonexistent rewards in Fortnite and Roblox.
For more than three years, security researcher Zach Edwards has been tracking these website hijackings and scams. He says the activity can be linked back to the activities of affiliate users of one advertising company. The US-registered company acts as a service that sends web traffic to a range of online advertisers, allowing individuals to sign up and use its systems. However, on any given day, Edwards, a senior manager of threat insights at Human Security, uncovers scores of .gov, .org, and .edu domains being compromised.
“This group is what I would consider to be the number one group at bulk compromising infrastructure across the Internet and hosting scams on it and other types of exploits,” Edwards says. The scale of the website compromises—which are ongoing—and the public nature of the scams makes them stand out, the researcher says.
The schemes and ways people make money are complex, but each of the websites is hijacked in a similar way. Vulnerabilities or weaknesses in a website’s backend, or its content management system, are exploited by attackers who upload malicious PDF files to the website. These documents, which Edwards calls “poison PDFs,” are designed to show up in search engines and promote “free Fortnite skins,” generators for Roblox’s in-game currency, or cheap streams of Barbie, Oppenheimer, and other popular films. The files are packed with words people may search for on these subjects.
cost per action (CPA) by advertisers and marketers.
terms of service prohibit those using it from being involved in fraud and from sharing multiple kinds of content.
The website claims it has paid out more than $40 million to publishers and has thousands of templates and landing pages. Within CPABuild, there are various tiers of users. The website’s affiliate structure is displayed in an image on its homepage. Members can be categorized as managers, devils, demons, wizards, masters, and knights. In one video uploaded by a CPABuild member on August 11, an admin account can be seen sharing a message with users that indicates the company has taken steps to prevent the platform from being used for fraud. “We are still getting reports that CPABuild publishers are promoting offers in ways that violate our terms of service,” a message seen on the screen reads. Edwards’ research shows, however, that whatever efforts CPABuild has taken have failed to prevent its users from engaging in rampant fraud.
“CPA fraud, which includes cost per app install, is very common,” says Augustine Fou, an independent cybersecurity and ad fraud investigator, who reviewed a summary of Edwards’ findings. “Specialists like the ones identified in the research carve out a niche where they become the category leader in a particular kind of fraud,” Fou says. “Customers come to them for that speciality.”
Scores of websites are currently impacted by the PDFs. This week, the New York State Department of Financial Services removed PDFs uploaded after being contacted by WIRED. Ciara Marangas, a spokesperson for the department, says the issue was first identified in 2022, and following a review and additional steps, the files were removed.
