Over the past five years, a significant number of websites belonging to US government agencies, leading universities, and professional organizations have been hijacked to promote scams targeting children. These scams typically involve tricking children into downloading apps, malware, or providing personal information in exchange for non-existent rewards in popular games like Fortnite and Roblox.
Security researcher Zach Edwards has been tracking these website hijackings and scams for over three years. He has found that the activity can be traced back to affiliate users of an advertising company. This US-registered company serves as a web traffic service for online advertisers, allowing individuals to sign up and utilize its systems. However, Edwards regularly discovers compromised domains, including .gov, .org, and .edu domains, that are being exploited.
According to Edwards, this group is the most prolific in compromising internet infrastructure and hosting scams. The website compromises are ongoing and the scams are public, making them particularly noteworthy. The specific methods used to generate revenue are complex, but the hijacked websites are all compromised in the same manner. Attackers exploit vulnerabilities or weaknesses in a website's backend or content management system and upload malicious PDF files. These files, referred to as “poison PDFs,” are designed to appear in search engines and promote free in-game rewards or access to popular films. When users click on the links in these poisoned PDFs, they are redirected to scam landing pages, many of which are targeted at children.
For instance, a PDF offering free coins for an online game will lead users to a website requesting their in-game username and operating system. After these details are provided, the website prompts users to sign up for another service, enter personal information, or download an app to unlock the promised rewards. However, Edwards' tests have shown that rewards are never received. Scammers behind these schemes earn money when individuals follow through with the required actions.
These scams are connected to the advertising firm CPABuild and its network members. All compromised websites with uploaded PDFs are linked to CPABuild's command-and-control servers. CPABuild is described as a content-locking network and acts as a platform for customers to host tasks. Affiliates of CPABuild attempt to get people to complete offers by spamming links in YouTube comments or creating pop-up “locker” pages. This process is known as cost per action (CPA).
Attempts to reach out to CPABuild for comment were unsuccessful. The company website does not provide details of individuals behind the company and is sparse on overall information. It claims to have daily fraud checks and prohibits fraudulent activities and the sharing of specific types of content. The website also states that it has paid out over $40 million to publishers and offers thousands of templates and landing pages.
In conclusion, thousands of US government, university, and professional organization websites have been hijacked over the past few years to promote scams targeting children. The hijackings are linked to an advertising company called CPABuild, which serves as a platform for affiliates to generate revenue through various scam techniques.