Fraudulent Ads Exploit COVID-19 Fears on Disney's ESPN.Com

Scam advertisements across major media outlets originate from DoubleClick and Xandr/AppNexus By now, all of us have been affected by COVID-19 through stay-at-home orders, business closures and cancelled events. This year, I wasn’t able to visit Prague over spring break like I had hoped to thanks to the shutdowns. Fortunately, the extra free-time allowed me to continue my work studying malicious ads across the Internet — and it’s a good thing I did. This time around, I had my eyes for something specific: advertisers have already been caught across Instagram and Facebook, alongside storefronts that offer commodities like face masks or hand sanitizer at a grossly marked up price. In many cases, users who click-through and pay up will receive nothing in return. peeled peddling fake coronavirus “cures” Facebook/Instagram have responded appropriately by banning these scammers and screening for ads that might be related to COVID-19. Unfortunately, other media outlets aren’t doing the same thing, and fake ads are spreading across major news sites that receive millions of visitors every month. In this article, I’ll share some of the things I found, beginning with Disney’s ESPN.com. But first, let’s talk methods. How I Scan for Scams In a , I explained how I scan for malicious ads using a combination of the Pyshark packet scanner and other open source tools. In this case — since I was looking for instead of malicious code running in the user’s browser — I had to slightly alter my strategy. previous article malicious source destinations Using HTTRACK and Wget, I wrote a crawler to compile a list of malicious URLs from trust rating authorities like Scamdoc. This data is used to scrape tags, links and keywords from the web sessions scanned by Pyshark. In the end, I am alerted to the most suspicious incidents, and attempt to replicate them. If I can do so, that is when I know I have something legitimate. Scam Time at ESPN.com ESPN.com — a major online destination for sports fans — is owned by Disney, and both companies use the same AdTech running on top of Google’s Ad Manager, which has been found to serve fraudulent ads in the past. When I scanned the site, it wasn’t too long before I found something undoubtedly malicious. The following ad purports to offer medical gloves and hand sanitizer: Clicking on the link will lead users to a domain advertising a number of sanitation commodities at a marked-up price: The fraudulence of this domain is already obvious based on the fact that hand sanitizer is not even available on Amazon.com, but further verification can be found by searching for the domain (homeinshop.com) and checking user reviews. Based on WHOIS, the site was , suggesting it was probably created for the of exploiting COVID-19 related fears. registered one month ago sole purpose Disney’s Negligence According to the URL chain, the origin of this ad traces — as expected — to Google’s Ad Manager (below), through ESPN’s content delivery network (above). We’ll talk about frequency later. As the owner of ESPN.com and the second largest media company in the world, Disney should be held accountable for allowing this ad to run. Over the past few months, publishers and ad networks have worked to proactively block potentially fraudulent domains, and keywords like “coronavirus”. At Disney, it seems that very little stands between malicious actors and their targets. Fraudulent Ads Spreading Through Xandr/AppNexus Thanks to its sheer size, Disney was the most prominent media outlet where I could find fraudulent ads spreading in the wild. However, just by going down the list of , I was able to find many more. In this case, I want to highlight ad networks instead of specific domains. popular news and entertainment websites In the past, I wrote about (formerly AppNexus), and the unusually high volume of malware-carrying ads that seem to appear on its partner sites. I fully expected to see more activity from them, and I wasn’t disappointed. I was a little surprised to see that it delivered from before multiple times. AT&T’s ad network Xandr the exact same ad Here’s one example from Vox.com (halfway down): And here’s another one from Today.com (near the top): In the end, my scanner was flagged for about I loaded over ~15000 sessions, and that’s not counting the ones it missed. When I went to manually replicate my results, I noticed a lot of suspicious content which fell through the cracks. Who knows how big this problem really is —I say it’s already . 0.28% of the ads way too big Thoughts and Conclusion When I talk about my hobby with friends, the reaction I’m often met with is indifference. “Surely anyone would know not to click that,” they say. And that might be true for of the people in my generation — but what about the elderly, and what about younger kids with access to their parents’ credit card? most The truth is, , because the site covered in this article has spent a lot of money to appear across multiple domains, and it’s been running for a month straight. We can assume that in this time of crisis, desperate people are clicking these ads, losing their money, and possibly engaging in unsafe practices when they end up with fake products/test kits. this tactic is obviously profitable At least some people are paying attention. For instance, the U.K’s Advertising Standards Authority (ASA) has where users can report fradulent advertisements — but so far, only 99 people have used it, and this problem is impacting way more than 99 people. Why can’t we expect large publishers like Disney and networks like Xandr to deal with this problem themselves? set up a website In the middle of a public health crisis, the real impact of fake/malicious advertising becomes painfully obvious. It’s not just an annoyance or a nuisance: it endangers public health and individual lives. People who depend on the Internet are not all digitally literate, and they shouldn’t have to be. Large brands who use visitors to make a profit should lift a pinky to protect their safety — and if they don’t, I’m going to call them out.