In recent years, a concerning trend has emerged involving the compromise of thousands of websites owned by US government agencies, reputable universities, and professional organizations.
The latest report from WIRED has revealed that scammers are promoting dubious offers and scams, many of which specifically target children.
The threat actors want to fool the kids into downloading potentially harmful apps, malware, or divulging their personal information under false pretenses.
Website Compromises
Security researcher Zach Edwards has been diligently tracking these website hijackings and fraudulent activities for more than three years.
Remarkably, these incidents can all be traced back to affiliates connected to an advertising firm called CPABuild. This US-based company offers web traffic services to online advertisers, enabling individuals to join and utilize its platform.
What's alarming is that, on a daily basis, Edwards uncovers numerous compromised .gov, .org, and .org domains.
Edwards explains that this group has gained notoriety for its proficiency in infiltrating web infrastructure on a massive scale and utilizing it to host various scams and exploitative endeavors. The sheer scale and audacity of these ongoing website compromises have caught the attention of cybersecurity experts and the general public alike.
Poison PDFs
The method behind these scams is relatively uniform. Attackers exploit vulnerabilities in a website's backend or content management system.
The malevolent PDF files aptly termed "poison PDFs" are strategically designed to appear prominently in search engine results. They are designed to entice users with offers like free "Fortnite" skins or "Roblox" currency generators. These PDFs are laden with keywords to attract users searching for relevant content.
Once users click on links within the poison PDFs, they are led through a convoluted web of intermediary sites, ultimately landing on scam-filled pages.
Scammers Are Taking Advantage of Young Gamers
Interestingly, Edwards highlights that many of these landing pages are meticulously crafted to target children. For instance, one PDF advertises free in-game coins, leading users to a site that requests their in-game username, operating system, and more. A pop-up then prompts them to take additional actions, such as signing up for services, sharing personal details, or downloading apps.
Shockingly, despite the user's compliance, no actual rewards are ever granted. This intricate web of actions, however, generates revenue for those orchestrating the scams.
Although these types of scams are not new, Edwards reveals a distinctive pattern in all of them-their association with CPABuild and its network members. All compromised websites with uploaded PDFs are connected to command-and-control servers owned by CPABuild, indicating their central role in the operation.
The investigation also underscores the challenges faced by authorities and cybersecurity professionals in curbing these activities effectively.
CPABuild-Linked Scams
CPABuild's website defines it as a "content-locking network," predominantly focused on offering tasks to customers who aim to profit from user engagement. The platform's structure includes various tiers of users, allowing them to pursue actions in exchange for financial incentives.
Despite claims of fraud checks and prohibiting abusive practices, the extent of these scams associated with CPABuild remains a growing concern.
As these scams continue, impacted organizations, including government agencies, universities, and research institutions, grapple with the aftermath.
Edwards has made concerted efforts to raise awareness by sharing his findings with relevant agencies, including the US Cybersecurity Infrastructure Agency (CISA).
Despite some actions taken by these agencies to mitigate the risks, the complexity of the scams and the widespread nature of the compromised websites make it a formidable challenge.