Source: Iophius via Alamy Stock Photo
Earlier this year, a piracy network was fraudulently serving more than 2 billion online advertisements every day.
"Camu" (short for "camuflagen" in Portuguese), based out of Brazil, trafficks in ad fraud on a mass scale. At its peak earlier this year, it was processing around 2.5 billion bid requests daily across 132 domains. As HUMAN Security researchers describe in a new report, that equates to approximately the ad traffic generated by the entire city of Atlanta, Georgia.
HUMAN researchers have thrown a wet blanket over Camu since discovering it back in December 2023. Though it's still active, it's processing a measly 100 million bid requests daily.
The scheme works thanks to an entirely simple cookie-based redirection mechanism, which sends its users the movies and television shows they're looking for, but pesky investigators to decoy sites.
Camu's Two Faces
Camu's piracy websites offer a similar user experience to any other standard piracy or pornography sites. When a visitor arrives on the site and clicks on the content they wish to view, they're redirected to a second domain hosting it, amid an onslaught of advertisements (so-called "cashout sites").
Many of these advertisements are from perfectly honest companies that surely wouldn't want to be associated with illegal content, if they knew about it. To keep them in the dark, Camu employs a rudimentary mechanism for ensuring that only their target audience ends up on their cashout sites.
"The actors in this operation are abusing a very important part of the Internet wherein a domain has the ability to load differently, depending on different parameters," explains HUMAN's director of fraud operations, Will Herbig. "If I go to a domain on my computer, as opposed to on my mobile phone, it might load the page differently, and that's OK. However, Camu is taking that and they're abusing it in a way that is really hard to detect."
When a visitor to a piracy site gets redirected to a cashout site, they're assigned a token. The token installs a cookie on their browser, which in a sense "admits" them to the cashout site with their content, and the ads.
Should anyone unwanted — say, a security researcher or an employee of an advertiser — arrive at the cashout domain via any other means, they would not possess that cookie, and therefore not be admitted to the site. Instead, they'd be redirected to a different, bland but ultimately innocuous site of one kind or another.
Source: HUMAN Security
To obscure the relationships between its malicious domains and the piracy sites that serve them, Camu manipulates the information that would otherwise be transferred during the redirection process. Not only does it "scrub" any information alluding to the referring site, but it also adds false referral information to the landing domain's URL, giving the appearance that a visitor landed there from a reputable site or search engine.
How Ad Exchanges Enable Fraud
As Herbig is quick to point out, "Besides Camu and Merry-Go-Round, we're tracking seven other operations that have a smaller but similar magnitude that are doing this type of thing."
The business has always been made easy by the degree to which online ad buying is automated, with middleman exchanges programmatically trafficking inventory between legitimate advertisers and sometimes less than legitimate buyers.
"Many companies only serve ads with companies that they have direct relationships with. That's not completely foolproof, but that tends to be a safer way to do it." Herbig explains. However, he adds, "the programmatic ecosystem is enormous. There are tens of thousands of publisher networks out there. Many of them are reputable, [however] there are threat actors that are trying to exploit this."
To cover for the problem introduced by middlemen ad exchanges, some advertisers turn to middlemen verification services. Unfortunately, some of these services have been shown to be ineffective at best.
"Ad fraud continues to be 'highest ever' year after year, both in dollar amount and percentage of ad impressions," laments independent ad fraud researcher Dr. Augustine Fou. "We have a few, occasional cases like this one that expose a tiny, tiny, but representative example of ad dollars going to the wrong places, like piracy sites. But piracy sites pale in comparison to the other horrific places ads have been shown to go to."