Forbes: Mobile Ad Fraud: Why Should An Enterprise CIO Care?
Most of the CIOs I meet with are concerned about mobile fraud, but they focus their resources on mobile commerce (card-not-present transactions), phishing attacks and/or ransomware.
CIOs and CTOs should not underestimate, however, the cost and manpower drain caused by mobile ad fraud for their corporate users and IT teams.
At face value, it would appear mobile ad fraud is primarily a problem for the advertiser and publisher — or the app itself that’s running the fraudulent ad. Why should a CIO or CTO care? Unfortunately, with advancements in mobile ad fraud, it’s rarely just one fraudulent ad.
Over the last few years, the number of different types of mobile ad fraud integrated into apps via malware has grown (and continues to grow) to include click spamming, click injection, ad stacking and invisible ads. Now, if an app that contains malware is downloaded by someone in a corporate environment, that could enable a hacker to use one of the aforementioned mobile ad fraud tactics to access the corporate network. It’s also highly likely that the initial corporate user who downloaded the app with the malware would encourage friends in the office to also download that app, infecting their devices, which could ultimately compromise the network.
The Far-Reaching Effects Of Fraud
There are many negative repercussions of mobile fraud. First, in order to generate fraudulent ad clicks, these phones need to communicate with the servers hosting the fraudulent activities. Next, these communications shorten a phone’s battery while increasing the data bandwidth used by the phone. Beyond this, fraudulent ads can also slow down the phone, resulting in a poor user experience.
So far I’ve addressed the more benign side of mobile ad fraud. Unfortunately, it can also be an opening for corporate hackers to gain access to your corporate network. Remember how alleged Russian hackers used fraudulent emails to gain access to the Democratic National Committee’s network? There’s no reason something similar could happen with a fraudulent mobile ad or app.
A good example of how mobile fraud can impact the enterprise is the ad malware attack from last year named CopyCat. The attack, which infected over 14 million Android devices, was the result of cyberattackers essentially highjacking apps, repackaging them with the malware and allowing them to be downloaded from third-party app stores. CopyCat utilizes an advanced technology to conduct various forms of ad fraud, including getting credit for fraudulently installing apps, displaying bogus ads while hiding their origin (so users can’t understand what’s causing the ads to pop up on their screens) and installing fraudulent apps directly to the infected devices.
With CopyCat, the malware waits until a device is restarted to ensure that a connection between the app installed and the malicious activity isn’t made. After restarting, once CopyCat roots the user’s device, it allows the attackers to gain full control of the device, essentially leaving the user defenseless.
Beyond the revenue CopyCat generates from fraudulent and malicious marketing activities, the risks to the enterprise are far greater:
- Adware enables the stealing of sensitive information from infected devices, which can then be sold to third parties.
- The perpetrators of adware campaigns root or jailbreak devices, leaving users vulnerable to other kinds of hacks. In the future, the same perpetrators could spread different, more nefarious types of malware or use them to create denial of service attacks.
Once hackers gain control of one mobile device connected to a corporate network, attackers then have all they need to breach the business’ complete network and gain access to sensitive data. Adware, which roots a device and leaves it vulnerable to any type of attack, is ultimately what these hackers are looking for in order to infiltrate a corporate network.
A Smart Plan Of Attack
From the broad range of devices, device types and operating systems that today’s CIO must support, coupled with users increasingly bringing in or buying their own hardware and software, it’s nearly impossible to eliminate mobile ad fraud in the corporate network. The best way to combat mobile ad fraud is via continuous employee education:
- Corporate users should be careful with the apps they install. They should install popular apps from Google Play or Apple’s App Store that are familiar to corporate system administrators and uninstall the apps they’re no longer using.
- Corporate users should make sure that the permissions asked aren’t suspicious. A flashlight app, for example, doesn’t need to know your location.
- If something looks or seems suspicious, consult with your sysadmin.
While cyberattackers make it their mission to supersede the latest technologies and anti-fraud measures, savvy CIOs can set their organizations up for safety and success with thoughtful and cautious preventive measures.
– Ofer Garnett