NordVPN Promotion

Home / Blogs

New Ad Fraud Schemes Utilize Alpha-Numeric Domains

Co-authored by Dr. Augustine Fou, Independent Cybersecurity and Ad Fraud Researcher and David Mitnick, President of DomainSkate

The breach of the Democratic National Committee email system and a massive digital advertising fraud believed to be run by alleged actors in Russia share a common thread beyond their ability to capture the news cycle. Although each event targeted a different weakness in brand/online security platforms, the common denominator is the use of fraudulent domain names.

In the case of the DNC hack, an email linked to a look-alike Google domain was a critical component that allowed hackers entry into the DNC computer system. On the ad fraud side, alphanumeric and gibberish domains were used to bilk advertisers of millions of dollars a day via a complex system that showed real ads to fake people.

With respect to ad fraud, the use of alphanumeric and gibberish domains are particularly attractive because they are cheap (no premiums like for those domains that are normally associated with popular terms) and anonymous. Whereas prior schemes relied on some form of human intervention—whether it was fake clicks from confused users or hired clicks—the new schemes require none. In fact the entire purpose of registering a domain name like www.000chat000.com is that it will remain anonymous and not attract attention.

We did research on some recent alpha-numeric domains registered in the .COM registry and found that there were obvious patterns in the registrations. For example, see the below registrations that were made just last month:

000000.com
0000000.com
00000000.com
000000000.com
0000000000.com
00000000000.com
000000000000.com
0000000000000.com
00000000000000.com
000000000000000.com
0000000000000000.com
00000000000000000.com
000000000000000000.com
0000000000000000000.com
00000000000000000000.com
000000000000000000000.com

Many of these domains were registered within minutes of each other which means that the registration was likely automated as part of a targeted scam. Specifically, bulk registrations can be performed by bots by simply adding slight variations to the domain names (as in the list above, and the examples below). And all are unique domains that will have a different payment ID in the ad exchange. Here are a few examples:

0-bip-s01-0.com
Creation Date: 2013-02-04T21:01:29Z

0-bip-s02-0.com
Creation Date: 2013-02-04T21:01:42Z

0-bip-s03-0.com
Creation Date: 2013-02-04T21:01:48Z

We also visited these sites and it became clear that the sites had no (human) traffic and were simply created for fraudulent purposes. The front pages of the sites most of them were exactly the same—that means they used the same site template. There was also no real or useful content on the pages. Though there was no legitimate purpose for the sites, the large numbers of them could be useful if used to commit ad fraud—where scammers would add them into ad exchanges in order to carry ads (e.g. display ads, video ads, search ads, etc.) just like in the recent Russian advertising scam.

The bottom line is that it is important for every company, large or small to monitor their brand names online and to pay close attention to the details in their media/digital advertising reports. On the brand side, a failure to monitor means that users or customers can be harmed by phishing scams that might otherwise be preventable.

With respect to digital advertising and media, it is important to always insist on line-item details when buying digital media. With these details you will be able to see domain names (e.g. on which your ads and media ran). When you see domains like the ones discussed in this article, be very suspicious and do further investigation, because they are more likely to be used for fraudulent purposes than for legitimate ones.

By David Mitnick, President DomainSkate LLC

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

NordVPN Promotion