TAG Today - August 2023

In this month's newsletter:




Earlier this month, TAG’s Threat Intelligence team released the first of a series of regular reports on emerging threats in digital advertising. 

The inaugural threat assessment, “Exploiting Trust: Social Engineering Tactics on the Rise in Malvertising,” offered a detailed analysis around the growing risks of malware-based social engineering attacks on consumers and businesses. 

Following are select highlights from the report:

TAG Threat Intelligence assesses cybercriminals are all but certain to expand their use of digital advertising-enabled social engineering attacks over the next year. We are observing criminals rapidly adapt the core social engineering principles that make email phishing campaigns successful to online ads, a threat that is far less known to potential victims. …

Social engineering is not a new concept; for decades, threat actors successfully exploited users’ trust by running email phishing campaigns. More recently, cybercriminals are increasingly using multichannel phishing to evade email security and instead exploit less protected SMS, voicemail, and chat-based collaboration tools. 

Malvertising campaigns cataloged in the MTX [Malvertising Threat Exchange] increasingly utilize the same core social engineering principles behind other phishing campaigns, but instead leverage scam ads on trusted websites and within search engine results. 

  • According to multiple cybersecurity researchers, multichannel phishing is on the rise, with cybercriminals leveraging social engineering tactics in highly tailored and targeted attacks across email, SMS, and chat-based platforms. The current success of these attacks stems from having a wider attack surface, and their effectiveness will only rise with the help of Generative AI.
  • Most recently, malvertisers utilized a hybrid of search engine optimization (SEO) poisoning and social engineering tactics to exploit sponsored ads disguised as legitimate software download pages on popular search engines and social media platforms. The success of these attacks hinge on users having an implicit trust in well-known platforms and the ads they display.
  • In an ongoing malvertising campaign dubbed FizzCore, malvertisers use provocative ad creatives featuring celebrities to entice users to click, which leads to a landing page promoting a cryptocurrency investment scam. The use of ad creatives to pique users’ curiosity garnered much success, with the cybercriminals behind FizzCore earning up to $1M in a single day.[vii] FizzCore’s success has not gone unnoticed by other cybercriminals, with copycat tactics accounting for a plurality of threat intelligence shared by MTX members in 2023

While we have not seen advertising exploited as part of a multichannel phishing attack, it is plausible this scenario emerges in the coming year. TAG lacks the corroborated evidence to confidently estimate the probability of this event; however, a logical next step for cybercriminals would be to leverage micro- and geo- targeted ads in multichannel phishing attacks on the employees of, for example, a specific corporate campus or critical infrastructure location. 

Cybercriminals recently demonstrated this kind of creativity in their ability to rabidly adapt social engineering principles to new attacks in the development, and subsequent rapid proliferation, of SEO poisoning and FizzCore-like scam ads. 


Inaugural TAG Report on Emerging Malvertising Threats Makes Waves In Media

MediaPost ran an exclusive article on the first report from the TAG Threat Intelligence team on emerging industry threats: 

Advertising has long been a vector for nefarious actors ranging from organized crime to a variety of other bad actors, but the proliferation of digital media and especially the programmatic advertising marketplace has given rise to increasing opportunities for purveyors of "malvertising" -- digital ads served to unsuspecting users that spread malware, compromise computer systems and harm consumers, publishers and platforms.

And while the magnitude has been difficult to benchmark, much less track, weakening advertising marketplace conditions are projected to accelerate the proliferation of malvertising, according to the first of what is planned to be an ongoing series of "threat assessment" reports published for the ad industry by the Trustworthy Accountability Group (TAG).

"Internet users remain largely unaware of the threat of malicious and low-quality advertisements on popular and trusted websites, social media platforms, and within search engine results because traditional cybersecurity training programs focus almost exclusively on the dangers of social engineering attacks via email and text messages - a gap that cybercriminals are increasingly using to their advantage," reads the first report in the series, "Exploiting Social Engineering Tactics On The Rise In Malvertising.” 


In additional coverage, AdExchanger featured the report in its morning newsletter under the headline, “Be Careful What You Click For.” From the article:

Since macroeconomic concerns are causing a drought in advertising spend, advertising is becoming an easier way to reach unsuspecting victims. Cybercriminals can win bids on unclaimed ad inventory at bargain-basement prices in the weak ad market.

“Cybercriminals may have more opportunity to take advantage of current market conditions with bad ads,” TAG’s report reads.

Besides, plenty of people already anticipate phishing scams that happen via email or text, so many wrongdoers are choosing malvertising on popular websites and social platforms instead. 

Phishing v. SE Infographic-1-min (1)


From “A Behind-the-Scenes Look at How Researchers Investigate Government-Backed Malvertising” in AdExchanger:

But although these are all useful signals for cybersecurity researchers, said Mike Lyden, VP of threat intelligence at TAG, they don’t definitively prove that the suspicious activity is government-backed. Which is why it’s important for researchers to work together.

Watchdogs look for commonalities between their own research and findings from other firms, Lyden said, and compare publicly shared evidence of network infiltrations. This allows them to build more detailed profiles of observed malvertising activity and get a better picture of the scope of these intrusions and the entities that are likely responsible. …

Often, the malicious software itself provides a fingerprint within its code that leads back to a specific threat actor. 

“Coders get sloppy,” Lyden said. They might leave code that reflects the time zone where the software was programmed, for instance, or there could be tells that point back to the developer’s mother tongue or country of origin. …

Ultimately, researchers generally can’t prove definitively whether a nation state is behind a malvertising attack. They can only offer estimates of probability, Lyden said. And the complexity of the advertising supply chain makes it easy for criminals to spread their activity across multiple jurisdictions, which makes it harder to prosecute, Lyden said.

But collaboration and transparency among cybersecurity firms, ad tech companies, Big Tech platforms and government agencies can at least make it easier to quickly identify scams and hold those responsible accountable.

“Stopping malvertising is really hard from a law enforcement standpoint,” Lyden said. “Doing so requires the industry to come together and self-regulate.”


From “IPG Mediabrands Achieves TAG Platinum Status for High Brand Safety, Fraud and Malware Best Standards” in Branding in Asia:

As marketers, agencies and platforms strive to provide safer online environments, IPG Mediabrands, the media holding company within the Interpublic Group of Companies (NYSE: IPG), announced that it achieved TAG Platinum status globally from TAG (the Trustworthy Accountability Group), the leading global initiative fighting criminal activity and increasing trust in the digital advertising industry.

Reprise, Kinesso and Matterkind, IPG Mediabrands performance and technology units, join media agencies UM and Initiative and intelligence arm MAGNA which received TAG’s global certification earlier this year. …

“TAG Platinum status is the highest honor that TAG awards to companies for demonstrating their commitment to protecting the digital advertising supply chain against its most significant threats,” said Mike Zaneis, CEO of TAG. “We commend IPG Mediabrands and its multiple companies for achieving TAG Platinum status and demonstrating their leadership in fighting fraud, combating malware, and creating safer environments for advertisers and audiences.”

DocLeverage TAG Research into Your Everyday!

From APAC Fraud Snapshot reports, to UK Brand Safety Consumer reports, to Best Practices whitepapers, TAG's research is here to support our member's day-to-day compliance as well as strategic planning. 

Visit our Data and Insight page 👉 tagtoday.net/insights

SpeakerLet's Make Some Noise Together 🤝

We love it when TAG members highlight our work together to fight digital ad crime and improve transparency. Please send any TAG-related press releases, blogs, or other announcements to Andrew Weinstein at andrewwstn@gmail.com for review before release.


Topics: Blog