A massive scam that targets children and uses ‘Offers’ from Roblox and Robloxhas been concealed

According to new study, thousands of websites belonging to US government institutions, prestigious universities, and professional associations have been hacked […]

A massive scam that targets children and uses 'Offers' from Roblox and Robloxhas been concealed

According to new study, thousands of websites belonging to US government institutions, prestigious universities, and professional associations have been hacked during the past five years and turned into platforms for the promotion of dubious deals and deals. Many of these con games target kids and try to get them to download malware, apps, or give out personal information in exchange for Fortnite and Roblox rewards that don’t exist.

Zach Edwards, a security researcher, has been monitoring these internet frauds and hijackings for more than three years. He claims that the activity can be traced back to the actions of one advertising company’s affiliate users. The US-based business serves as a service that directs web traffic to various online marketers while letting users sign up and use its technologies. Edwards, a senior manager of threat insights at Human Security, however, regularly finds a large number of.gov,.org, and.edu domains that have been compromised.

“This group is what I would consider to be the number one group at bulk compromising infrastructure across the internet and hosting scams on it and other types of exploits,” adds Edwards. According to the study, the extent of the continuing website hacks and the public nature of the scams set them apart.

Although the methods and plans used to earn money are intricate, each website is taken over in a similar fashion. Attackers who upload malicious PDF files to a website take use of flaws or vulnerabilities in the backend, or content management system, of the website. These documents, which Edwards refers to as “poison PDFs,” are made to appear in search results and provide “free Fortnite skins,” “roblox currency generators,” or inexpensive streams of popular movies like Barbie, Oppenheimer, and others. The documents are jam-packed with keywords related to these topics.

According to Edwards, who presented the research at the Black Hat security conference in Las Vegas, when someone follows the links in the poison PDFs, they may be forced through several websites before arriving at scam landing pages. He claims that there are “a ton of landing pages that appear really targeted to children.”

When you click a link in one PDF offering free coins for an online game, for instance, you are taken to a website where you are asked for your operating system and your username from the game before being asked how much coins you would want for free. The message “Last Step!” pops up. This “locker page” states that you can unlock the free gaming coins by downloading an app, registering for another service, or providing personal information. “I’ve tested it hundreds of times,” claims Edwards. He has never been compensated. Those running the scams can make money when victims are lead through this maze of pages and are forced to download an app, provide personal information, or do any other necessary step.

Researchers on advertising fraud claim that these schemes are not new. But they stand out because they are all connected to the advertising company CPABuild and the employees in its network, according to Edwards. According to Edwards, every compromised website that has PDF files uploaded is making calls to CPABuild’s command and control servers. He claims that “they are pushing marketing campaigns into somebody else’s infrastructure.” When you search for a file that is linked to the PDFs, you get pages of results from hacked websites.

The website for CPABuild lists Nevada as the location of its legal registry and identifies it as a “content-locking network first and foremost.” The business, which has been around since 2016, takes on jobs from its clients, such offering consumers the chance to win money by providing their email and zip code. Then, CPABuild users—often referred to as affiliates—seek to persuade consumers to fulfill these offers. They frequently accomplish this by adding spammy YouTube comment links or by making the pop-up “locker” pages that appear near the conclusion of the poison PDF click chain. The term “cost per action” (CPA) is used by advertisers and marketers to describe this results-based method.

WIRED sent inquiries via a contact form and to various email accounts provided on the CPABuild website, but we never heard back. The firm website is lacking in general information and does not identify any of the people who are behind CPABuild. According to the website’s terms of service, fraud and the sharing of different types of content are prohibited, and “daily” fraud checks are in place to capture unscrupulous actors exploiting the platform.

According to the website, it has hundreds of templates and landing pages and has paid out more than $40 million to publishers. There are different user tiers in CPABuild. An image on the website’s homepage shows the affiliate organization. Managers, devils, demons, wizards, masters, and knights are some possible categories for members. An admin account can be seen communicating with users in one video that a CPABuild member published on August 11 and indicating that the business has taken steps to prevent the platform from being exploited for fraud. The notification displayed on the site reads, “We are still receiving reports that CPABuild publishers are promoting offers in ways that violate our terms of service.” However, according to Edwards’ research, whatever CPABuild has taken have failed to prevent its users from engaging in rampant fraud.

“CPA fraud, which includes cost per app install, is very common,” says Augustine Fou, an independent investigator into ad fraud and cybersecurity who studied a summary of Edwards’ findings. As noted in the report, “specialists like the ones identified carve out a niche where they become the category leader in a particular kind of fraud,” according to Fou. “Clients seek them out for that specialty.”

Currently, the PDFs have an impact on a large number of websites. This week, after being contacted by WIRED, the New York State Department of Financial Services erased uploaded PDFs. The issue was initially discovered in 2022, according to Ciara Marangas, a department representative. After a review and further processes, the data were destroyed.

According to Edwards, he informed the US Cybersecurity Infrastructure Agency (CISA) about more than 50 hacked websites in 2022, including those of the Lawrence Berkeley National Laboratory and the Oak Ridge National Laboratory. According to an Oak Ridge spokeswoman, the company “immediately” responded to the CISA report, “deleted the suspicious content, and resolved the issue.” They claim that no laboratory data was altered. However, “no vulnerability has resulted in the compromise of systems for visitors” to its website, according to a spokesman for Lawrence Berkeley National Laboratory, which declined to comment on the specific situation. Cameron Dixon, the manager of CISA’s.gov registry, says the organization alerts the government when it learns about vulnerabilities in its websites and offers support. “You could have a list like this for any given day.”

Although some reports have been connected to possible CPABuild affiliates, according to Edwards, the technique can go unnoticed since the links used in the process are transferred through redirecting services that hide their identities. He adds that because the compromises are not as devastating as ransomware or other hacks, they may go unnoticed.

On the other hand, there exist online traces of activities connected to CPABuild members and affiliates. YouTube has received films that show how different CPABuild users have used the platform. In one video, someone is seen utilizing a locker page made with CPABuild’s tools as well as a “Fortnite skins generator” Another video shows some of the offerings made available by CPABuild, such as requests for users to install mobile apps, provide their credit card information, provide their email address, and complete “general surveys.”

Over the past seven years, the Internet Archive has recorded hundreds of the content lockers on CPABuild’s website. People can answer a survey on one locker page called “Amazon gift cards” to “Win a $5,000 cash now” or to “enter” to win $25,000. Others compel users to download programs like the Opera web browser or provide their information in order to “get a $100 Roblox Game Card.” Kids’ activities that are widely popular are usually used as a bait for these “offers.”

One locker page states, “We hate this kind of stuff as much as you do, but it keeps us alive.” To obtain your password and demonstrate your support, kindly complete a little form.

Multiple questionable sites can be seen talking with the infrastructure of CPABuild, which is hosted by Amazon Web Services (AWS), according to website inspection tools like URLScan. According to Patrick Neighorn, an AWS representative, the findings of Edwards’ study are being examined by Amazon’s trust and safety teams. According to Neighorn, “AWS’s terms of service forbid customers from using our services for any fraudulent or illegal activity, and our customers are responsible for adhering to our terms and all applicable laws.”

Fortnite Scam

While this is going on, gaming businesses claim that some of the websites hosting the locker pages are fake. Jake Jones, senior communications manager at Epic Games, the company that made Fortnite, claims that these are scams. “Players have never been able to sell, gift, or trade in-game V-Bucks to another player or sell virtual items to one another,” he asserts. In a similar vein, James Kay, a Roblox representative, warns against using third-party services to “buy, sell, trade or give away Robux” and advises against clicking on “offers” on websites that promise free in-game currency or other goods.

Security company KELA’s Victoria Kivilevich, director of threat research, claims her organization has observed CPABuild being discussed on hacking and criminal forums. Kivilevich claims that on one website, someone suggests building a YouTube channel with content from ripped-off games and software in order to draw videos. According to Kivilevich, there are frequently talks about Fortnite and Roblox. “The user recommends using CPABuild to place a content locker URL apparently obtained through CPABuild to the description of the videos and earn on visitors who click on the URL,” he says.

Many users are searching for information on how to get accepted on CPABuild and for accounts they may purchase, said Kivilevich.

Not all of the toxic PDFs steer consumers toward frauds, despite the fact that many of them do. According to Edwards, some CPABuild clients appear to be malware writers. He claims that occasionally, in the days following a critical news piece about China, some of these keyword-filled PDFs would appear and contain language similar to the news articles. “The legitimate article will show up as the first result of the first page of a search, and then maybe three or four down would be honeypots,” he claims. It was malware on each of these pages, I swear.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top