Cyber Security: Fake News, Bots, Botnets and Click Fraud

The New York Times1 recently reported on an example of how fake news can reach beyond celebrities and political figures to the reputation of private citizens and their businesses. Specifically, the fake news example alleged irresponsibly that a Washington, D.C. pizzeria was being used as a front for a child sex trafficking operation. A major catastrophe was averted afterwards, when law enforcement arrested a man who entered the pizzeria to investigate the hoax armed with an assault rifle.2

This article focuses on challenges that fake news presents to financial crimes investigators and on examples of cybersecurity threats that may accompany fake news through bots, botnets and click fraud, given the recent advisory to financial institutions on cyber-events and cyber-enabled crime from the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN),3 which provides suspicious activity report (SAR) filing examples and a frequently asked questions document.4

Fake News

Disinformation designed to deceive or obscure the truth has long been a part of the competitive landscape. Yet, recent headlines about Google, Twitter and Facebook efforts to curb profits derived from fake news5 raise significant concerns for financial crimes investigations.

Fake news makes it harder to rely on traditional news and social media for negative news. Financial crimes investigators should always be on the lookout for fraudulent misinformation, hoaxes and satire that make it harder to find reliable adverse media. Healthy skepticism is appropriate when reviewing search results, such as negative reviews6 about individuals or businesses, or positive reviews that are withheld from public view to manufacture demand for online reputation management software and services.7

It is best to read beyond headlines8 and to be skeptical of online news from unfamiliar news outlets. A website registrant’s identity can be investigated by typing the domain name into WHOIS.net, and then repeating this step using the registrar’s WHOIS Lookup.

In addition, pay close attention to news website addresses when typing into browsers or selecting from search results. For example, cnn.com may be intended when cnn.om is typed instead due to a typographical error. A fake news website could exist at the cnn.om web address, since .om is the internet country code top-level domain for Oman. An online list of reportedly malicious .om websites includes cnn.om.9 Typosquatting websites may disregard the intellectual property10 and unfair competition11 protections of legitimate news outlets, and deliver fake news12 and malware13 to internet users.

The author’s identity and reputation for accurate reporting should be investigated, along with the presence of reliable news sources and the accuracy of facts, quotes and publication dates. News blogs and articles may be ghostwritten, as some authors may be using online reputation management services to bury unwanted search results by positioning themselves as industry thought leaders.14 Both derogatory and favorable news about individuals or businesses should be corroborated for accuracy, completeness and relevance.

Photographs should also be checked. Origins and previous postings of photographs can be verified through reverse image search by dragging the photograph into web-based tools like TinEye15 or Google Images.16 Photograph date-, time- and location-tracking data can be verified using web-based metadata verification tools, like Metapicz17 and Jeffrey Friedl’s Image Metadata Viewer.18

The absence of photograph editing can be confirmed using web-based services like Izitru,19 which also certifies photographs that it deems to be authentic. Such certification may be of special value to auction websites and other online sellers with photographs that buyers rely on before purchasing goods and services.

Fake news may expose internet users to cybersecurity risks through online searches, traditional news sources and social media. Be on the lookout for malware disguised as news and other announcements, including browser updates,20 security patches21 and software updates.22

Detecting disguised malware requires consistent attention to detail and context. Some malware may be easy to spot, such as update pop-ups with typographical errors, unprofessional English, or logos that do not match trademarks. Be wary of updates that appeal to emotions or a sense of urgency. If update requests appear unexpectedly, check instead for downloads on the software vendor’s website. The FBI has warned about malware that appears as software update pop-ups when using public hotspots or hotel internet services. Malware may appear as fake software updates to users who browse free media websites or download free software. Security software should be set to auto-update, run at all times and protect endpoints, such as laptops and mobile devices. Auto-updates should be checked intermittently, since malware can hijack auto-updates.23

Cybercriminals may use email,24 link clicks to news articles25 and advertisements,26 and word searches (including personal name searches)27 to load malware, spyware and spam on computers, lure users to malicious websites, and report keystrokes and online activities. Such reporting of keystrokes and online activities may impact SAR confidentiality that is required by U.S. federal law.28

Bots and Botnets

Automated computer programs, known as bots, are frequently used to spread fake news.29

Not all bots are created equal. An example of a good bot is Googlebot, Google’s web crawling bot used to discover new and updated internet webpages to be added to its search index.30

Unfortunately, bots have a bad reputation because cybercriminals often use them to control an infected computer for nefarious purposes. Online companies face greater challenges distinguishing real customers from bad bots that can steal website content through web scraping,31 commit click fraud,32 and hijack user accounts.33 On online gambling websites, bots compete against human players, contrary to the terms of use,34 and circumvent age and identity verification and enhanced customer due diligence.35

SARs have been vital in helping the FBI to identify wire transfers tied to botnets operated by large-scale money laundering operations, according to former FinCEN Director Jennifer Shasky Calvery

The U.S. Congress recently took legislative steps to curb the use of bots that function as online ticket scalpers.36 On December 14, 2016, former President Barack Obama signed the Better Online Ticket Sales (BOTS) Act of 2016, Public Law No: 114-274, which defines the use of bots to purchase tickets in advance and then resell them at a premium as an “unfair and deceptive practice” under the Federal Trade Commission Act.37 Although this law is directed at bots that function as online ticket scalpers, it establishes a foundation for similar efforts to curb the use of bots that harm the online sale of other goods and services.

Bots on one infected computer may be networked with other infected computers through what is called a botnet, which may span globally. Through a botnet, a command and control server can function as a master computer that remotely controls infected computers, although new variations on this conventional approach are becoming evident.38

Botnets may adversely affect individual internet users by collecting and sending their personal financial information, such as credit card numbers, bank account details and passwords, to organized criminals and terrorists.39 The FBI has been actively addressing such cybersecurity threats in collaboration with the private sector, U.S. and foreign law enforcement, and other U.S. federal agencies.40

SARs have been vital in helping the FBI to identify wire transfers tied to botnets operated by large-scale money laundering operations, according to former FinCEN Director Jennifer Shasky Calvery. This includes the GameOver Zeus botnet associated with losses exceeding $100 million in the U.S. alone.41

FBI collaborative efforts have also mitigated DNS Changer, Dridex, Dorkbot, Simda botnets, and other botnet threats that can be used to disseminate viruses like ransomware. The FBI has collaborated with foreign law enforcement and intelligence agencies through cyber assistant Legal Attachés assigned overseas.42

The Presidential Policy Directive–U.S. Cyber Incident Coordination outlines a public-private collaboration framework to address cybersecurity matters. The Department of Justice, acting through the FBI and the National Cyber Investigative Joint Task Force, is designated as the Federal lead agency for threat response. The Department of Homeland Security, acting through the National Cybersecurity and Communications Integration Center, is designated as the Federal lead agency for asset response. The Office of the Director of National Intelligence, through the Cyber Threat Intelligence Integration Center, is designated as the Federal lead agency for intelligence support.43

The FBI has been working closely with White Ops, a private sector online fraud prevention firm that recently discovered the Methbot botnet, which is associated with losses exceeding $180 million.44

New provisions of Rule 41 of the Federal Rules of Criminal Procedure went into effect on December 1, 2016. The Electronic Frontier Foundation asserts in part that Rule 41 will now make it easier for law enforcement to obtain search warrants if a computer is part of a botnet, and urges additional safeguards.45

Click Fraud

Online advertising pay-per-click bot and botnet schemes have presented organized criminals and terrorists with opportunities for money laundering46 through click fraud.47

For example, click hijacking, also called click jacking, may be associated with fake news as a lure to social media click fraud.48 A botnet linking over 4 million computers in more than 100 countries allowed a group of organized criminals to run click jacking malware that would trick users into clicking on a hidden layer of links or buttons, so that the organized criminals might fraudulently collect over $14 million in advertising pay-per-click revenue. The Estonian co-conspirators posed as an online advertising firm linked to over a dozen front companies in Cyprus, Denmark, England, Estonia, the Republic of Seychelles, Russia, and the U.S.; one Russian co-conspirator reportedly remains at large.49

Click jacking has been used to trick computer users into turning on microphones and cameras without their knowledge

Click jacking has been used to trick computer users into turning on microphones and cameras without their knowledge. Prevention of click jacking can include updates to internet browsers and Flash plugins, along with click jacking detection and prevention software.50

The term “click laundering” may be of interest to anti-money laundering/counter-terrorist financing investigators. In 2010, Microsoft popularized the term click laundering to describe another form of click fraud that makes invalid ad clicks appear to originate from legitimate sources.51 Click laundering attempts to avoid fraud detection systems that have been put in place by the Microsoft adCenter platform to protect online advertisers. The name “click laundering” highlights an analogy to money laundering in that the origin of illegal profits is disguised as legitimate.52

In conclusion, cybersecurity threats that accompany fake news through bots, botnets and click fraud may be reportable in SARs subject to the recent FinCEN advisory, which describes cyber-events, cyber-enabled crimes and cyber-related information, and provides SAR filing examples and a frequently asked questions document.

Miguel Alcántar, CAMS-FCI, compliance advisor, Oakland, CA, USA, alcantar@aya.yale.edu

For information on how you can identify where your organization is most vulnerable to a cyber-attack, please visit: http://www.acams.org/cyber-enabled-crime-training/

  1. Pui-Wing Tam, “Anti-Clinton Fake News Casts Pizzeria as Front for Crime,” The New York Times, November 22, 2016, http://www.nytimes.com/2016/11/22/technology/anti-clinton-fake-news-casts-pizzeria-as-front-for-crime.html
  2. Keith L. Alexander, Susan Svrluga, “‘I am sure he is sorry for any heartaches he has caused,’ mother of alleged ‘Pizzagate’ gunman says,” The Washington Post, December 12, 2016, https://www.washingtonpost.com/local/public-safety/i-am-sure-he-is-sorry-for-any-heartaches-he-has-caused-mother-of-alleged-pizzagate-gunman-says/2016/12/12/ac6f9068-c083-11e6-afd9-f038f753dc29_story.html?utm_term=.50c512a5f409
  3. “FIN-2016-A005 Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime,” United States Department of the Treasury—Financial Crimes Enforcement Network, October 25, 2016, https://www.fincen.gov/sites/default/files/advisory/2016-10-25/Cyber%20Threats%20Advisory%20-%20FINAL%20508_2.pdf
  4. “Frequently Asked Questions (FAQs),” United States Department of the Treasury—Financial Crimes Enforcement Network, October 25, 2016, https://www.fincen.gov/sites/default/files/shared/FAQ_Cyber_Threats_508_FINAL.PDF
  5. Abby Ohlheiser, “This is how Facebook’s fake-news writers make money,” The Washington Post, November 18, 2016, https://www.washingtonpost.com/news/the-intersect/wp/2016/11/18/this-is-how-the-internets-fake-news-writers-make-money/
  6. “Lawsuit over negative Yelp review heads to Calif. Supreme Court,” CBS News, September 22, 2016, http://www.cbsnews.com/news/lawsuit-over-negative-yelp-review-california-supreme-court/
  7. Cheryl Conner, “The Dark Side of Reputation Management: How It Affects Your Business,” Forbes, May 9, 2013, http://www.forbes.com/sites/cherylsnappconner/2013/05/09/the-dark-side-of-reputation-management-how-it-affects-your-business/#1f572fcc4b89
  8. Nick Robins-Early, “How to Recognize a Fake News Story,” The Huffington Post, November 22, 2016, http://www.huffingtonpost.com/entry/fake-news-guide-facebook_us_5831c6aae4b058ce7aaba169
  9. Endgame—List of malicious .om sites, Pastebin, March 11, 2016, http://pastebin.com/q2WCuw6K
  10. William Needle, “Chapter No. 4.3 Trademark Primer,” Concept Foundation, PIPRA, FIOCRUZ and bioDevelopments-Int. Institute, http://www.iphandbook.org/handbook/ch04/p03/
  11. Florina Yezril, “Somewhere Beyond the ©: Copyright and Web Design,” NYU Journal of Intellectual Property & Entertainment Law, December 17, 2015, http://jipel.law.nyu.edu/vol-5-no-1-2-yezril/
  12. Elizabeth Weise, “Hackers use typosquatting to dupe the unwary with fake news, sites,” USA Today, December 1, 2016, http://www.usatoday.com/story/tech/news/2016/12/01/hackers-use-typo-squatting-lure-unwary-url-hijacking/94683460/
  13. Lily Hay Newman, “Be Careful. Mistyping a Website URL Could Expose You to Malware,” Slate, March 17, 2016, http://www.slate.com/blogs/future_tense/2016/03/17/hackers_use_om_urls_for_typosquatting_malware_attacks.html
  14. BrandYourself Concierge Service, https://brandyourself.com/info/about/howItWorks/concierge
  15. TinEye, http://www.tineye.com
  16. Google Images, https://images.google.com
  17. Metapicz, http://metapicz.com
  18. Jeffrey Friedl’s Image Metadata Viewer, http://exif.regex.info/exif.cgi
  19. Izitru, http://www.izitru.com
  20. Larry Loeb, “Firefox Malware Poses as Browser Update,” Security Intelligence, July 11, 2016, https://securityintelligence.com/news/firefox-malware-poses-as-browser-update/
  21. Mark Jones, “Top Story: Watch out! Malware disguised as Microsoft security update,” Komando.com, October 29, 2016, http://www.komando.com/happening-now/378364/watch-out-microsoft-security-update-disguised-as-malware/all
  22. “Keep getting fake Adobe update popup,” Adobe, September 7, 2016, https://forums.adobe.com/thread/2205736
  23. “Is That Software Update Actually Malware?,” ZoneAlarm, March 11, 2015, http://www.zonealarm.com/blog/2015/03/software-update-malware/
  24. Elizabeth Shim, “South Korea police warns of malware in emails about Park Geun-hye,” United Press International, November 23, 2016, http://www.upi.com/Top_News/World-News/2016/11/23/South-Korea-police-warns-of-malware-in-emails-about-Park-Geun-hye/7101479913990/
  25. “Visitors of NY Times, BBC, and AOL sites targeted by malware,” Lavasoft, March 17, 2016, http://www.lavasoft.com/mylavasoft/company/blog/visitors-of-ny-times-bbc-and-aol-sites-targeted-by-malware
  26. Laura Hautala, “How to avoid getting conned by fake news sites,” CNET, November 19, 2016, https://www.cnet.com/how-to/how-to-avoid-getting-conned-by-fake-news-sites/
  27. “Celebrities Bring Us Entertainment, Laughter—and Malware,” Intel Security, October 4, 2016, https://securingtomorrow.mcafee.com/business/celebrities-bring-us-entertainment-laughter-malware/
  28. 31 U.S.C. § 5318(g); 31 C.F.R. § 103.18 (U.S. Treasury Department); 12 C.F.R. § 21.11 (U.S. Office of the Comptroller of the Currency); 12 C.F.R. § 563.180 (U.S. Office of Thrift Supervision); 12 C.F.R. §§ 353.1–353.3 (U.S. Federal Deposit Insurance Corporation); 12 C.F.R. § 208.62 (U.S. Federal Reserve Board).
  29. John Markoff, “Automated Pro-Trump Bots Overwhelmed Pro-Clinton Messages, Researchers Say,” The New York Times, November 17, 2016, http://www.nytimes.com/2016/11/18/technology/automated-pro-trump-bots-overwhelmed-pro-clinton-messages-researchers-say.html?_r=0/li>
  30. “Googlebot,” Google Search Console Help, 2016, https://support.google.com/webmasters/answer/182072?hl=en
  31. “The 2016 Economics of Web Scraping Report,” Distil Networks, 2016, https://forum.equinix.com/assets/images/files/distil-networks-2016-economics-of-web-scraping.pdf
  32. “The Bot Baseline: Fraud in Digital Advertising—Advertisers will lose $7.2 billion globally to bots in 2016,” Association of National Advertisers, 2016, http://www.ana.net/content/show/id/botfraud-2016
  33. Bryan Hooi, Hyun Ah Song, Alex Beutel, Neil Shah, Kijung Shin and Christos Faloutsos, “FRAUDAR: Bounding Graph Fraud in the Face of Camouflage,” Carnegie Mellon University, 2016, https://www.cs.cmu.edu/~neilshah/research/papers/FRAUDAR.KDD.16.pdf
  34. “Rise of the Machines: How Poker Bots Infiltrated the Online Game,” CardsChat, https://www.cardschat.com/poker-bots.php#sthash.tSAasWUK.dpuf
  35. “You need to know your customers—remote casinos: Customer due diligence in remote casinos,” Gambling Commission, December 2015, http://www.gamblingcommission.gov.uk/Gambling-sectors/AML/How-to-comply-AML/You-need-to-know-your-customers.aspx
  36. Ray Waddell, “Inside the Music Industry—and Congress’—Fight Against Ticket Bots,” Billboard, June 23, 2016, http://www.billboard.com/articles/business/7416096/ticket-bots-illegal-software-music-stars
  37. Enrolled Bill Text—S.3183—114th Congress (2015-2016): BOTS Act of 2016, Congress.gov, https://www.congress.gov/bill/114th-congress/senate-bill/3183/text
  38. Botnets Today, Microsoft Security Intelligence Report, https://www.microsoft.com/security/sir/story/default.aspx#!botnetsection_p2p
  39. Joseph Demarest, “Taking Down Botnets,” FBI, July 15, 2014, https://www.fbi.gov/news/testimony/taking-down-botnets
  40. “International Cyber Crime—Iranians Charged with Hacking U.S. Financial Sector,” FBI, March 24, 2016, https://www.fbi.gov/news/stories/iranians-charged-with-hacking-us-financial-sector
  41. Prepared Remarks of FinCEN Director Jennifer Shasky Calvery, delivered at the FSSCC-FBIIC joint meeting, FinCEN, December 9, 2015, https://www.fincen.gov/sites/default/files/shared/20151209.pdf
  42. “DHS, DOJ Respond to Carper Inquiries on Agencies’ Response to Threat of Ransomware,” U.S. Senate Committee on Homeland Security & Governmental Affairs, March 30, 2016, https://www.hsgac.senate.gov/media/minority-media/dhs-doj-respond-to-carper-inquiries-on-agencies-response-to-threat-of-ransomware
  43. “Presidential Policy Directive—U.S. Cyber Incident Coordination,” The White House, July 26, 2016, https://www.whitehouse.gov/the-press-office/2016/07/26/presidential-policy-directive-united-states-cyber-incident
  44. Jose Pagliery, “Russian ‘methbot’ fraud steals $180 million in online ads,” CNN Tech, December 20, 2016, http://money.cnn.com/2016/12/20/technology/ad-fraud-online-methbot/
  45. Jamie Williams, “Expanded Government Hacking Powers Need Accompanying Safeguards,” Electronic Frontier Foundation, December 14, 2016, https://www.eff.org/deeplinks/2016/12/expanded-government-hacking-powers-need-accompanying-safeguards
  46. “Ad Networks: A New Avenue for Money Laundering,” Trulioo, October 27, 2015, https://www.trulioo.com/blog/ad-networks-a-new-avenue-for-money-laundering/
  47. “Clicks and impressions—Definition of invalid click activity,” Google AdSense Help, https://support.google.com/adsense/answer/16737?hl=en
  48. Susan Hogan, “Internet users falling prey to ‘click-jacking’ schemes,” WPRI 12 Eyewitness News, October 20, 2014, http://wpri.com/2014/10/20/internet-users-falling-prey-to-click-jacking-schemes/
  49. “Estonian Cybercriminal Sentenced for Infecting 4 Million Computers In 100 Countries With Malware
    In Multimillion-Dollar Fraud Scheme,” United States Department of Justice, April 26, 2016, https://www.justice.gov/usao-sdny/pr/estonian-cybercriminal-sentenced-infecting-4-million-computers-100-countries-malware
  50. Andy O’Donnell, “How to Protect Yourself From Clickjacking Attacks,” Lifewire, October 20, 2016, https://www.lifewire.com/how-to-protect-yourself-from-clickjacking-attacks-2487178
  51. Nancy Gohring, “Microsoft Chases ‘Click Laundering’,” PCWorld, May 19, 2010, http://www.pcworld.com/article/196694/article.html
  52. Bill Harmon, “Microsoft Adds New Defendant in Click Laundering Lawsuit,” Microsoft, December 10, 2010, https://blogs.technet.microsoft.com/microsoft_on_the_issues/2010/12/10/microsoft-adds-new-defendant-in-click-laundering-lawsuit/

Leave a Reply