Internet scams targeting children are on the rise in the US.
Over the past five years, thousands of websites from US government agencies, leading universities and professional organizations have been hacked and used to promote plausible but fraudulent offers and promotions. Many of these scams have targeted kids and tried to trick them into downloading apps, malware, and even volunteering their personal details in exchange for non-existent Fortnite and Roblox rewards.
For more than three years, cybersecurity researcher Zach Edwards of Human Security has been tracking these scams. According to him, this activity is associated with users of one particular advertising company CPABuild, registered in the United States. The company acts as a service that directs web traffic to a range of online advertisers, allowing individuals to register and use its systems without apparently worrying too much about the safety of Internet users.
Each day, Edwards discovers dozens of hacked .gov, .org, and .edu domains. Here's what he thinks about the hackers behind this threat: "This group of attackers, in my opinion, is number one in the massive compromise of infrastructure on the Internet, the use of fraudulent schemes and other types of malicious exploitation." The scale of the ongoing hacks and the public nature of the scams make the group stand out from other online attackers, the researcher notes.
Schemes and ways of making money for hackers are complex, but each of the sites is hacked in the same way. Basically, attackers use vulnerabilities or weaknesses in the backend or content management system (CMS) to upload malicious PDF files to the site.
These documents, which Edwards calls "poisoned PDFs," are designed to appear on search engines and promote "free Fortnite skins," "Roblox in-game currency generators," or "broadcasts of hit movies" like Barbie and Oppenheimer. PDFs contain hundreds of keywords, so many people will end up on an infected site one way or another.
When a victim downloads a malicious PDF file and clicks on a link within it, they are redirected through multiple sites and end up on fraudulent landing pages. However, as the researcher notes, there are “a lot of landing pages that seem very child-friendly.”
Demonstrates a fraudulent service ostensibly to generate the in-game currency Roblox. Here the player is asked to enter his nickname and indicate the operating system, after which it will be possible to get as many free coins as the gullible gamer wishes, but this is where the main catch lies.
A pop-up window that says "Last step!" says that free game coins will be unlocked only if the victim registers in another service, enters his personal data there or downloads a malicious application. However, these actions do not lead to obtaining the desired reward, but scammers may well earn money by selling the user's personal data on the darknet.
Such scams have been around for a long time, but these scams stand out because they are somehow connected to the advertising company CPABuild and its participants, says Edwards. All hacked sites that upload PDFs access C2 servers owned by CPABuild.
One might think that CPABuild is a scam company from the start that has somehow survived with impunity for many years, but there is a nuance here. The "CPA" in the company's name stands for "Cost Per Action" or "Pay Per Action". The company was created to promote such ads on completely legal terms, but it is unlikely that its specialists have the physical ability to control every fraudulent ad.
The company's website claims that it conducts "daily" fraud checks to catch cybercriminals abusing the platform, and the terms of service basically prohibit customers from engaging in fraudulent activity. However, Edwards' research shows that no matter how much effort CPABuild has actually made, it hasn't really made a difference so far.
The researcher himself says that the scheme can still go unpunished, since all malicious links in the compromise process are transmitted through redirect services that mask the identity of the attackers. In addition, data thieves, especially those who work on a voluntary basis, may go completely unnoticed, since the damage from them is not as obvious and visible as from the same ransomware.
Meanwhile, the use of CPABuild in fraudulent schemes has been known for a long time. The same Edwards of Human Security drew the CISA's attention to hacked government sites and CPABuild mediation in attacks, but this did not lead to visible results.
CPABuild has also been repeatedly discussed in cybercrime forums, so many hackers are well aware of how this platform can be used for their own purposes. "Many users are looking for instructions on how to get approved with CPABuild, as well as CPABuild accounts they can buy," says KELA's Director of Threat Research.
One way or another, no matter how many complaints Internet users and researchers leave on CPABuild, apparently they cannot close the office for good without good reason in the USA. This is in many ways reminiscent of the story about the use of Telegram by various kinds of intruders. Although it is unlikely that CPABuild has any positive aspects that have made the life of Internet users better and more convenient, which cannot be said about the same Telegram.
This story clearly shows that the Internet is still a place full of dangers. Especially for children who can not hesitate to leak information about themselves or their parents for a hundred or two Robux.
Parents should be especially vigilant when explaining to their children that promises of something too good to be true are often scammers' traps. Kids should know never to enter personal information or download apps for promised online rewards.
We also see that companies like CPABuild have a much greater responsibility to monitor fraudulent activity on their platforms in order to protect Internet users.
Over the past five years, thousands of websites from US government agencies, leading universities and professional organizations have been hacked and used to promote plausible but fraudulent offers and promotions. Many of these scams have targeted kids and tried to trick them into downloading apps, malware, and even volunteering their personal details in exchange for non-existent Fortnite and Roblox rewards.
For more than three years, cybersecurity researcher Zach Edwards of Human Security has been tracking these scams. According to him, this activity is associated with users of one particular advertising company CPABuild, registered in the United States. The company acts as a service that directs web traffic to a range of online advertisers, allowing individuals to register and use its systems without apparently worrying too much about the safety of Internet users.
Each day, Edwards discovers dozens of hacked .gov, .org, and .edu domains. Here's what he thinks about the hackers behind this threat: "This group of attackers, in my opinion, is number one in the massive compromise of infrastructure on the Internet, the use of fraudulent schemes and other types of malicious exploitation." The scale of the ongoing hacks and the public nature of the scams make the group stand out from other online attackers, the researcher notes.
Schemes and ways of making money for hackers are complex, but each of the sites is hacked in the same way. Basically, attackers use vulnerabilities or weaknesses in the backend or content management system (CMS) to upload malicious PDF files to the site.
These documents, which Edwards calls "poisoned PDFs," are designed to appear on search engines and promote "free Fortnite skins," "Roblox in-game currency generators," or "broadcasts of hit movies" like Barbie and Oppenheimer. PDFs contain hundreds of keywords, so many people will end up on an infected site one way or another.
When a victim downloads a malicious PDF file and clicks on a link within it, they are redirected through multiple sites and end up on fraudulent landing pages. However, as the researcher notes, there are “a lot of landing pages that seem very child-friendly.”
Demonstrates a fraudulent service ostensibly to generate the in-game currency Roblox. Here the player is asked to enter his nickname and indicate the operating system, after which it will be possible to get as many free coins as the gullible gamer wishes, but this is where the main catch lies.
A pop-up window that says "Last step!" says that free game coins will be unlocked only if the victim registers in another service, enters his personal data there or downloads a malicious application. However, these actions do not lead to obtaining the desired reward, but scammers may well earn money by selling the user's personal data on the darknet.
Such scams have been around for a long time, but these scams stand out because they are somehow connected to the advertising company CPABuild and its participants, says Edwards. All hacked sites that upload PDFs access C2 servers owned by CPABuild.
One might think that CPABuild is a scam company from the start that has somehow survived with impunity for many years, but there is a nuance here. The "CPA" in the company's name stands for "Cost Per Action" or "Pay Per Action". The company was created to promote such ads on completely legal terms, but it is unlikely that its specialists have the physical ability to control every fraudulent ad.
The company's website claims that it conducts "daily" fraud checks to catch cybercriminals abusing the platform, and the terms of service basically prohibit customers from engaging in fraudulent activity. However, Edwards' research shows that no matter how much effort CPABuild has actually made, it hasn't really made a difference so far.
The researcher himself says that the scheme can still go unpunished, since all malicious links in the compromise process are transmitted through redirect services that mask the identity of the attackers. In addition, data thieves, especially those who work on a voluntary basis, may go completely unnoticed, since the damage from them is not as obvious and visible as from the same ransomware.
Meanwhile, the use of CPABuild in fraudulent schemes has been known for a long time. The same Edwards of Human Security drew the CISA's attention to hacked government sites and CPABuild mediation in attacks, but this did not lead to visible results.
CPABuild has also been repeatedly discussed in cybercrime forums, so many hackers are well aware of how this platform can be used for their own purposes. "Many users are looking for instructions on how to get approved with CPABuild, as well as CPABuild accounts they can buy," says KELA's Director of Threat Research.
One way or another, no matter how many complaints Internet users and researchers leave on CPABuild, apparently they cannot close the office for good without good reason in the USA. This is in many ways reminiscent of the story about the use of Telegram by various kinds of intruders. Although it is unlikely that CPABuild has any positive aspects that have made the life of Internet users better and more convenient, which cannot be said about the same Telegram.
This story clearly shows that the Internet is still a place full of dangers. Especially for children who can not hesitate to leak information about themselves or their parents for a hundred or two Robux.
Parents should be especially vigilant when explaining to their children that promises of something too good to be true are often scammers' traps. Kids should know never to enter personal information or download apps for promised online rewards.
We also see that companies like CPABuild have a much greater responsibility to monitor fraudulent activity on their platforms in order to protect Internet users.
