The Battle Against the Billion-Scale Internet Underground Industry: Advertising Fraud Detection and Defense presented at Black Hat USA 2022

by Zheng Huang, Yakun Zhang, Shupeng Gao, Hai Gao,

Tags: Defense Human Factors


Summary : Advertising is the main profit model of internet companies; the annual industry scale of global internet advertising has reached hundreds of billions of dollars. In fact, internet advertising fraud and anti-fraud may be a war that will never end. In the past few years, we have traced and catched hundreds of internet underground industry practitioners, and we have seen the escalation and evolution of technological confrontation.In this talk, we will select some typical and large-scale internet underground industry gangs and do an in-depth analysis.-Gang 1: An ultra-large-scale advertising fraud group that infected 350 million mobile phones through the mobile big data analysis SDK. They have existed for five years, involving multiple listed companies, and their fraud targets include some global advertising giants, all mobile advertising platforms and all search engines in China.-Gang 2: PC application bundled software exposed at China Central Television (CCTV) Consumer Rights Protection 315 Gala in 2022. They infected millions of computers and planted extension backdoors into browsers. Their fraud targets include all online shopping sites, social networking sites and advertising platforms in China. They defraud the advertising channel for profit, and secretly add fans to the "We media".-Gang 3: Malicious click tools for vicious competition among advertisers. They generate harassment and invalid clicks on advertisers which leads discourage investment.For the above-mentioned advertising fraud gangs, we will summarize the key technologies used by them, conduct a crowd analysis on the internet underground industry practitioners, and classify them into high-end and low-end gangs. High-end internet underground industry gangs can use the upstream and downstream channel resources of the Internet industry, they can quickly infect a large number of devices, profit from invisible advertising shows and simulated clicks on the mobile phones, and tamper with the browser traffic and simulate user clicks on the PC side by using browser plug-in backdoors. Low-end internet underground industry gangs use "YI language"(易语言) and a series of browser libraries can quickly build hacking tools and sales at a low price, which can also lead to a very bad impact.In order to perception and trace these gangs, we have developed the Heracles project, which uses a new device fingerprint generation technology and side-channel detection to identify mainstream hacking tools, such as headless browsers (puppeteer, minibrowser, etc), "mobile key press genie"(按键精灵), and "cloud phones". We also use javascript runtime and jsbridges hooks in the browser engine, CROS features and other new technologies to detect simulated clicks on mobile advertisements and browser extension hijacking. These technologies are the keys to trace and combat the internet underground industry chain, and significantly reduce advertising fraud risk.Previously, we were a browser and operating system security research team, we have obtained hundreds of CVEs. We will introduce how security researchers contribute to anti fraud. Many undisclosed methods will be proposed to trace and catch internet underground industry practitioners in this talk, we believe that many companies and anti-fraud practitioners will benefit from it.