Fake Celebrity-Endorsed Bitcoin Scam Abuses Ad Tech to Net $1M in 1 Day

5 min read Original article ↗

Here’s another example in the UK. An innocuous advertisement for socks turns into a Paul McCartney bitcoin scam.

And the full chain execution:

🡆 Ad is initiated by RTBTradeIn, a no-name programmatic ad server:
http://us-nj-e37.rtbtradein[.]com/?t=impr&bwpr=0.3750&uniq=14d856f948531518a642a4d9fad564a1

🡆 Revive Ad server (ad serving first layer)
http://servedby.aqua-adserver[.]com/afr.php?zoneid=5326&target=_blank&cb=

🡆 Uprival Ad server (second layer):
https://api.uprivaladserver[.]com/v2/a/iframe/?tid=5b943031ba2e541654823f3f&pid=5d7ece51ba2e540f7caa927e&rnd=[CACHE-BUSTING-ID-HERE]&width=300&height=250

🡆 Fake ad creative (Doc Sock for evasion)
https://cdn.uprivaladserver[.]net/images/cd0dc7bb-8ed1-45b1-9f6a-f0e662b30fee.jpg

🡆 Actual ad creative (Paul McCartney — link is still up as of this writing)
https://cdn.uprivaladserver[.]net/images/885c952d-7424-4697-a453-09891389266f.jpg

🡆 We didn’t capture the Paul McCartney “Pre-sale” page here 🤷

Abusing commercial adserver targeting

Starting November 2019, FizzCore upgraded their infrastructure (see above “second generation”) and started relying on commercial ad servers to look more legitimate. We spotted 3 different ad serving accounts (we’ve notified the vendors) for which FizzCore paid hefty monthly fees, in lieu of their previous Revive ad server (free and open source, low reputation). Below is an example of this “second generation” execution flow.

Fake RyanAir ad (Germany)

🡆 Ad “creative” loads from commercial ad server
https://servedby.flashtalking[.]com/imp/1/119139;4326760;201[…]

🡆 Using the ad server’s targeting capabilities, an additional “cloaked” script loads from:
https://cdn.flashtalking[.]com/xre/432/4326760/2929174/js/j-4326760-2929174.js

🡆 Non-targeted users (e.g. ad scanners, manual QA, etc..) get a different “fake” script at:
https://cdn.flashtalking[.]com/xre/432/4326760/2929107/js/j-4326760-2929107.js

Press enter or click to view image in full size

🡆 The cloaked script contains an “extension” that the fake one doesn’t, loading an Iframe at:
https://cdn.flashtalking[.]com/117149/2929174/index.html

Press enter or click to view image in full size

For good measure, the cloaked ad server iframe spawns two components:

🡆 One for the image of the creative — an iframe at FizzCore domain postel-kz[.]com (UpRival ad server)

The FizzCore domain will provide one last chance for the image to flip between Cloaked or Fake:

Press enter or click to view image in full size

Fake at https://cdn.postel-kz[.]com/images/fa474b69-b04a-40c7-a202-c954b7e241c1.jpg
Cloaked at https://cdn.postel-kz[.]com/images/795a1ad2-9990-45f9-845d-b8b4663b89e0.jpg

🡆 One for the cloaked landing page — the typical FizzCore link cloaker, this time at busetex[.]com.

For the “Fake” ad, it redirects to an unrelated legitimate website, here it’s a RyanAir ad that they borrowed in the wild:
https://www.ryanair.com/flights/de/de/fluege-nach-dublin .

Get Jerome Dangu’s stories in your inbox

Join Medium for free to get updates from this writer.

For the “Cloaked” ad, it redirects to the “Pre-sale” page:

We’ve notified the commercial ad servers impacted and they quickly took down the threat actor’s accounts.

Scale

In the ad tech ecosystem
So far, Confiant has detected FizzCore as a buyer on 8 different ad platforms, 4 of which are Tier-1 demand side platforms. FizzCore also obtained access to 3 buy-side ad servers that they progressively leveraged in place of Revive (an open source ad server) to build up legitimacy.

By geography
We have tracked FizzCore across Europe as well as in Oceania:

  • Heavily impacted:
    United Kingdom, Germany, Italy
  • Presence detected:
    Sweden, France, Spain, Netherlands, Australia, New Zealand

By the numbers
As of this writing, FizzCore is heavily focused on Germany. They’ve had a presence in the country on and off through the last 2 months, with progressively increased scale.

Press enter or click to view image in full size

FizzCore — Last 60 days in Germany

On January 14, 2020, FizzCore served about 14 million shocking celebrity ads on German news sites (based on extrapolated Confiant data).

Standard clickthrough rates in banner ads are abysmal, in the range of 0.01% to 0.1%. By leveraging shocking imagery, FizzCore is able to boost those numbers to up to 3% or more (source: ad industry partners on actual FizzCore campaigns). Let’s look at their performance and ROI using some rough assumptions:

  • Views ➡ 14,370,000 (extrapolated from Confiant’s website coverage)
  • Clicks ➡ 215,550 (1.5% clickthrough conservative average based on actual ad server data)
  • Victims ➡ 2,156 (1% conversion estimate)
  • Damage ➡ $6,466,500 ($3,000 average)
  • FizzCore net earnings ➡ $1,293,300 ($600 payout)

So, on a big day this is north of $1m net profit in only one country — keeping in mind this is a back-of-the-envelope approximation to get a sense of the magnitude.

Attribution

Who is running FizzCore? How much of the supply chain do they operate?

The Ad Tech Buyer
We have a clear map of the threat actor’s presence on programmatic advertising especially on news websites in Europe. This is what we initially started calling FizzCore.

By working with some trusted partners in the industry a few names kept coming up:

  • TomorrowAds: An ad agency with presence in US, Argentina, Spain, Israel
  • RevenueLift: Another ad agency with presence in US, Argentina, Spain. It appears to be somehow affiliated with Mango Media Partner, with shared employees and a shared location in Spain. At the time of writing this article, their website had been very recently taken down but can be found on Archive.org (LinkedIn is still up though).

These companies are responsible for buying ad traffic on one side, and obtaining access to commercial ad servers on the other side. We have no additional information on their involvement in the scheme.

The Affiliate
Reviewing tens of different celebrity-endorse “Pre-sale” pages for this bitcoin scam, we were able to associate FizzCore to two domains that are strongly tied to the rest of their infrastructure:

  • startlivingbetternow[.]com (Seen in Germany)
  • news-now[.]media (Seen in Italy and UK)

Additional evidence is available on inspection of a script on page at https://news-now[.]media/js/tag.js

The purpose of this script is to link all these domains for tracking purposes in Google Analytics (learn more about GA’s “linker” feature).

These domains all follow the same patterns and most of them are part of our IOCs from the ad campaigns. This is strong evidence that the ad campaigns and these “pre-sale” pages are operated by the same actor.

Previous FizzCore campaign (May 2019)

Through our investigation, another “Pre-sale” page domain showed up multiple times: presswirenewsday[.]com, especially in Australia, Spain and the Netherlands (see appendix for screenshots and references).

This pre-dates our investigation and we don’t have ad data on it but it uses click-baity banner ads of a different style, photos of government officials juxtaposed with scantily clad women as presented by Steemit in Australia.

Crucially, online advertising blog prebid.blog in May 2019 mentions UpRival as the ad server powering this malicious campaign in Spain. This is a strong tie to our threat actor and the similar modus operandi makes us think that we’re dealing with a previous iteration of FizzCore here.

The Marketer

All elements indicate that the Bitcoin scam is operated by a separate entity that outsources lead generation to affiliates, FizzCore being one of these affiliates.