Financial scams are on the rise. Earlier this year, the Federal Trade Commission (FTC) reported that financial scams increased 70% in 2021, bilking U.S. consumers of $5.8 billion and a record 2.8 million people filed a fraud complaint with the Commission.
Cybercriminals hone in on those who are most vulnerable. They steal their life savings and leave them destitute, something no publisher wants to unwittingly take part in. How do scammers get away with it? And what tools can publishers implement to stop it? To answer these questions, we need to delve into clickbait financial advertising crimes, analyze weaknesses in the digital ad supply chain exploited by these bad actors, and determine how they manage to appear legitimate.
How Your Users are Lured into Ad Scams
It all starts with a clickbait creative touting an easy way to earn money. Clickbait ads promise to let users in on the secret to a celebrity’s financial success, others feature a regular person, like a soccer mom who now drives a Lamborghini. Unlike code-based scams, clickbait ads are a form of social engineering- they beckon the user into a trap with the promise of wealth, health, or fame.
Figure 1: Cryptocurrency Ad Creative
There are myriad versions of clickbait scams and malvertising. They reflect current trends, from cryptocurrency and NFTs to the American Rescue Plan and the Student Loan Payment Pause. If there’s a news story about people getting rich or finding relief from a financial burden, scammers will use it to drive victims into their funnel.
Today’s scammers go to great lengths to conceal their ploys in a cloak of legitimacy. They mimic fake news sites to use as landing pages and launch websites for the “companies” behind clickbait ads. Cybercriminals create fake LinkedIn profiles for the company’s “leadership” listed on the About Us page. Some will create fake news sites that include “reviews” from people who enjoyed fabulous success. They’ll even launch Google Ads search campaigns for users who look up the term “Is XYZ legit?”
The Warm-Up Stage
Scammers rely on the programmatic ecosystem to deliver clickbait ads to victims and to do that, they must first enter the ad supply chain. We call this the warm-up stage; its purpose is to get their scam on the list of acceptable advertisers so they can access the entire ad delivery chain.
Campaigns run by new advertisers are spot-checked to ensure they’re not up to anything nefarious.
Figure 2: Innocuous ad creative for grass
Knowing that ad quality spotcheck checks are waiting for them, scammers first run innocuous campaigns like this one about getting rid of grass in unwanted areas. The ad leads to an equally innocent-looking landing page about unwanted grass.
Few, if any, consumers click on these ads, but that’s not the point. The scammer’s goal is to ensure that their advertiser ID and name are approved across all advertising delivery chains. Once scammers have earned that trust, the warm-up phase ends, and they switch tactics.
At this stage, scammers switch the approved ad creative with a clickbait one, often featuring a celebrity and promising a financial windfall to those who click. These ads are designed to look like breaking news stories, especially when they feature a celebrity.
Figure 3: Fiancial Ad Clickbait
Like all advertisers, scammers spend a great deal of time tailoring creatives to specific audiences. Ads aimed at Canadian targets feature Keanu Reeves, while those sent to Australians feature Mel Gibson. Targets worldwide are shown ads featuring Elon Musk.
Figure 4: Fiancial Ad Clickbait
Landing Pages are Key to the Ad Quality Puzzle
Once a user clicks on the ad, they are taken to a landing page that mimics a legitimate news site, such as Forbes, BBC, The Daily Mirror, or another well-known publication in their geolocation. The fake news site’s URL will be very similar to the legitimate publisher’s URL (forbesnews.com vs. forbes.com), further convincing users that the site is real.
The “site” features an article describing how a celebrity or ordinary person made lots of money trading cryptocurrency, stocks, or some other scheme in line with a current news story. It’s not uncommon to see “endorsements” by other users who claim to have done very well with the investment tactic described.
Tactics for identifying fake sites
The fake sites are not exact replicas of the real ones, and only an astute reader will notice the minor differences between the two. These modifications protect the scammers from copyright infringement lawsuits by the legitimate publishers, all while the scammers continue pushing victims further down the funnel.
The landing pages are designed so that every clickable element leads users to a deceptive offer page that prompts them to provide their personal information and credit card details to register for a service.
Cloaking: Hiding in Plain Sight
Scammers know that many publishers have anti-malvertising detection systems to spot-check ad creatives and assess their legitimacy. To succeed, scammers must circumvent these protections. Cloaking lets scammers cherry-pick the users who see their deceptive ads, while attempting to evade anti-malvertising companies like GeoEdge. Cloaking requires that scammers find a way to distinguish between scam-worthy and non-scam worthy clients or users.
To make that distinction, scammers “fingerprint” all users before showing them a malicious landing page. Fingerprinting involves running a series of tests post-ad-click to determine if the client really is who they claim to be. Fingerprinting checks whether the client is really an iPhone user or merely a fraud detection engine emulating an iPhone. Are they located in Canada, or are they just using a proxy VPN to hide their true location? The answers to these questions are recorded so the scammer can choose whether to strike or hide the next time that user is seen.
There are different forms of cloaking. The type used in clickbait occurs post-click and is based on a scammer’s ability to fingerprint the client beforehand. Not all fingerprinting approaches work the same way, and not all are equally effective.
Cloaking is also used when a scammer doesn’t view the user as scam-worthy. For example, a scam designed to lure German citizens may detect that the user behind the impression is actually in another location. In such a case, the user is redirected to a decoy, or a non-malicious landing page.
Preventing the Next Financial Clickbait Scam
Scammers are patient enough to build out an entire ecosystem of assets to lure victims into their traps. They’re willing to create numerous ad versions, fake news sites, review sites, LinkedIn profiles, and more.
To be fully protected, you need someone on your side who’s willing to work even harder than the scammers. GeoEdge has the tools and knowledge to detect even the most sophisticated financial scams. Even under the guise of detailed legitimacy, GeoEdge stops scammers in their tracks, protecting your users and your reputation.