Russia’s invasion of Ukraine is a test case for how ad tech can be used as an instrument of psychological warfare, destabilizing a populace not only with propaganda but also methods designed to steal personal and financial data.
Many of the same programmatic advertising tools used by ad tech companies to optimize campaigns are also being used by scammers to identify and exploit vulnerabilities.
Some ad tech companies are fighting back with their own AI-powered tools.
Exploiting weakness
Staying ahead of online scammers requires constant vigilance.
Bad actors embed malware within ad creative, which can slip through the cracks, as DSPs and SSPs process billions of ad impressions per day. Once a user clicks a malware-infected ad, they expose themselves to attacks, including phishing, e-skimming or backdoors.
Through phishing, scammers attempt to get personal information and account logins by dangling a fraudulent incentive, like a gift card. E-skimming places malicious code on a page to steal login credentials and user data. Backdoors install software onto a user’s device that leaves them exposed to future attacks, such as generating invalid traffic.
Self-serve ad platforms are particularly vulnerable, because they tend to only conduct basic creative audits, said Yaroslav Kholod, director of programmatic operations at Admixer, a Ukraine-based ad tech company that noticed a spike in malvertising in the lead-up to Russia’s invasion last year.
Admixer, which has tools for the buy and sell side, partnered with digital safety platform The Media Trust (TMT) to block more than 9,000 malicious ad creatives from being served on Ukrainian publisher sites between November 2021 and March 2023.
Smarter scams
The challenge is that scammers have become more sophisticated, and the opacity of the digital advertising supply chain can help criminals hide their activity.
For example, bad actors have learned to work with legitimate DSPs and SSPs. And they often switch out creative assets in the middle of a campaign. So a campaign that passes a DSP’s pre-flight checks could suddenly start serving infected creative without the DSP catching it.
“They know how to exploit reseller agreements to get into major publishers and target the consumers they really want,” said Gavin Dunaway, product marketing lead at TMT.
Also, there is no industrywide standard for identifying and fighting propaganda and state-funded malicious activity. This insufficiency leads to ad hoc partnerships like the one between Admixer and TMT.
Timeline of attacks
By November 2021, reports were coming in of Russian military buildups near the Russo-Ukrainian border, which is also when TMT noticed a spike in malvertising incidents targeting Ukrainian devices. Between November 2021 and January 2022, these incidents increased 330%.
This mostly included an explosion of phishing campaigns executed through redirects from an ad’s landing page to a spam site, which represented 26% of all incidents during this period.
In TMT’s view, these were likely test campaigns to determine the most effective attacks before the invasion officially began in February 2022, at which point phishing activity increased on Ukrainian publisher sites, reaching a peak in late March 2022.
On March 27 alone, TMT observed 62 distinct malware attacks in Ukraine affecting nearly 3,500 impressions.
Admixer worked with TMT to develop a block list of Russian advertisers and ad buyers tied to Russian ally Belarus and integrated TMT’s Media Filter tool into its SSP to block impressions from suspected malvertisers. Admixer also started more closely scrutinizing creative tags in its DSP and trained an internal team to identify threats as they’re happening.
Until March of last year, phishing attacks were the most common, representing 26% of all incidents. One particularly elusive phishing method called GhostCat-3PC, which targets mobile devices to steal user data, was prominent.
“There are some GhostCat variations that have lasted four years,” Dunaway said. “We think whoever is behind it has a background in ad tech, because they know the areas to hit.”
But then, between April and August 2022, TMT observed a marked drop in the number of malvertising incidents as government sanctions went into effect, ad tech platforms got savvier, and Ukrainian publishers began blocking Russian domains.
However, starting around September 2022 and through March of this year, a second wave of malware hit Ukraine – and this time, backdoor attacks were the most common, including MimicManager-3PC and MudOrange-3PC.
These scams involve ad clicks that take users to hacked landing pages, including hacked versions of legitimate brand websites. Ads then prompt users to download software that enables backdoor exploits, such as ransomware or keylogging.
TMT made a curious discovery, however: The diversity of incidents during the second wave decreased while the number of impressions that were served malware went up.
This suggests Russian malvertisers have identified ways to deploy backdoors successfully and are optimizing their malicious campaigns toward users who are likely to fall for them, Dunaway said.
That optimization has contributed to more malicious impressions being served overall. In 2021, TMT observed 6,437 malicious impressions targeting Ukrainians, and that number grew to 40,550 in 2022, a 530% YOY increase.
AI’s role on both sides
But ad tech vendors and their partners are using AI to fight fire with fire.
While AI makes it easier for bad actors to identify vulnerabilities, generate fake landing pages and exploit unsuspecting users at scale, it also allows companies like TMT and Admixer to identify patterns among the massive data sets they have at their disposal.
For instance, DSPs can easily miss malware hidden in creative assets because they’re not testing ads on a variety of devices or in environments that emulate the ad experience of people across different geos.
TMT uses AI to mimic the media environments on different devices and operating systems around the world, which is why it noticed the uptick in scams targeting Ukrainians before the invasion.
It also helps that most malvertisers are creatures of habit.
Once they find a method that works, they “use the same patterns over and over again, whether it’s domains, the cloud storage and file names or the creatives themselves,” Dunaway said. “So we can use AI to find this stuff at scale.”
Since working with TMT in the early days of the invasion, Admixer’s block rate is up by 150%, and there’s been a 700% increase in the number of malware-infected creative tags it’s been able to identify. To date, Admixer has blocked roughly 36 million malicious impressions from being served in Ukraine.
But the industry must do more than rely on AI to prevent cyber warfare in the programmatic ecosystem, said Admixer’s Kholod. He hopes platforms will stop using a lack of malvertising as a competitive differentiator. Companies should work collaboratively through initiatives like the Trustworthy Accountability Group’s Threat Exchange to ensure all platforms are as free from malvertising as possible, he said.
Collaboration can help the industry overcome the self-centered patterns of behavior that have allowed scammers to flourish, Dunaway added.
“[Bad actors] know how to exploit the business,” he said. “They know things are always moving, and they also know a lot of people think [fighting scams] is the downstream partner’s problem – [but] when we start thinking that way, that’s when people in war-torn countries get attacked.”
Update 6/1/23: A previous version of this story cited SmartyAds as an example of a white label platform whose tech could be purchased and exploited by malvertisers. Admixer clarified that it has no evidence that SmartyAds’ white label tech was used to facilitate malvertising activity in Ukraine, so that reference has been removed.
