browsers require users to occasionally confirm<\/strong><\/a> they want to be subscribed to push notifications. If users fail to do so, their browsers will eventually block these notifications. This may explain why we were still receiving requests to subscribe to notifications from the server we took over despite it being abandoned for days.<\/p>\nOne thing that was making us realize how few people were actually clicking on those ads was that this threat actor seems to be estimating the Click Through Rate (CTR) each ad might get, but their estimations are pathetically low. Which is confusing because it is a number that they are providing, both to advertisers and victims!?<\/p>\n
According to the actor, their highest CTR estimated for any victim at any time is 1 in 175, which wouldn\u2019t be too bad, but the average was 1 in 60,000! It gets even worse when looking at their median CTR: over half the subscribers click once for every 950,000 impressions!<\/p>\n
We thought that there must have been something wrong with their estimation process, so we computed the effective CTR we observed over the 15 days of logs we had, and it turns out that they were surprisingly not far off, with an effective CTR of 1 in 80,000, equivalent to a grand total of 630 clicks out of the 52 million ads we logged.<\/p>\n
The Notifications<\/h3>\n
The notifications used deception, fear, and hope to entice users to click on the links. The themes included impersonation of legitimate financial services like Bradesco, Sparkasse, Recibiste, MasterCard, Touch \u2018n Go, and GCash. Clickbait lures included references to scandals, politicians, and famous personalities. The use of figures like Elon Musk led to investment scams and fake news sites. Other notifications led to adult content scam sites, in which victims likely unwittingly interact with AI bots and paid personalities, while giving rights to their personal text and images to the website for commercial use. Scare tactics typically led to unnecessary anti-virus subscriptions. While the affiliate advertising ecosystem is structured in a way that distributes responsibility across multiple services, the behavior of associated partners and affiliates remains relevant when assessing ecosystem risk. Figure 7 shows a distribution of lure types we observed.<\/p>\n
![\"Figure](\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/inside-a-malicious-push-network-what-57m-logs-taught-us-figure-7.jpg\")
<\/p>\n
Figure 7. Percentages of the different types of lures used in the notifications we analyzed<\/p>\n
Their Economy<\/h3>\n
One question remained: The domains we took over had been running for a while, so how much money did this threat actor actually make with this push notification infrastructure? Considering how few people actually click on the notifications, were the campaigns even profitable? If not, that might explain why they abandoned their domains.<\/p>\n
This notification network has two different cost models: Cost Per Mile (1000 impression \/ CPM), and Cost Per Click (CPC). Considering how low the click through rate was, we assumed that ads using the CPC cost model would make them a negligible amount of money, and after verifications, we were right. Over the 15 days of data we looked at, ads using this cost model generated $1.80 (that is correct–the dot is not misplaced: one dollar and 80 cents).<\/p>\n
So, we focused on the cost of the CPM ads. To the best of our ability, we can estimate that they were making about $350.00 per day from these ads. Not to minimize the value of the dollar, but this seemed very low.<\/p>\n
The ad publishers here are all sketchy, so we are not really rooting for them, but we can\u2019t help but wonder what they get from advertising on these platforms? One thing that confused us from our logs at the start of our analysis was that the same victim would be shown the same ad multiple times. We started doubting the integrity of our data, and tried to remove duplicate entries, but there were basically none! There were partial duplicates for sure: the same ad being pushed to the same victim at the exact same time with the exact same notification body and title. Each time, the price of the notification would be slightly different, so we were a bit perplexed… until we realized that each time, these duplicated ads had different delays<\/em>.<\/p>\nDifferent delays mean that despite getting paid per 1000 ad impressions, this threat actor shows victims the same ad, up to 20 times per day. Obviously, this is annoying for the victims who get spammed with the same scam more than once, but this must also be a genuinely bad investment for the \u201cadvertisers\u201d trying to scam victims, right? The likelihood that someone who did not fall for your scam on the 19th time that day falls for it on the 20th time must be incredibly low. This threat actor isn\u2019t just scamming regular people; their pricing and delivery practices appear to disadvantage their own advertising affiliates\u2014which is consistent with public complaints about the platform.<\/p>\n
At this point, something seemed off, so we tried to figure out what was impacting the price of ads, and what we might be missing.<\/p>\n
We looked at the parameters that influence the price of ads for other similarly shady push notification services we are tracking (Figure 8).<\/p>\n
![\"Figure](\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/inside-a-malicious-push-network-what-57m-logs-taught-us-figure-8.jpg\")
<\/p>\n
Figure 8. Price of notifications per day per target country<\/p>\n
As expected, victims in some countries are more expensive than victims in other countries. Importantly, victims in India are worth basically nothing, and as we mentioned before, about 20% of the notifications we tracked were sent to victims in India. The other interesting aspect of this graph is that, regardless of the country to which the ad is being pushed, the average CPM (Cost per 1000 impressions) is still very low. From looking at publicly advertised pricing and features commonly promoted by similar push-notification monetization services, we would normally expect prices significantly higher than those observed in our data. It is unclear whether the discrepancy reflects differences between publicly advertised pricing for comparable services and the subset of traffic we observed, or whether it is specific to the domains included in our dataset.<\/p>\n
As shown in Figure 9 below, most ads cost less than 5 cents (note the graph uses a logarithmic scale) regardless of the payment model used. One important thing to note is that the number of ads per price bracket doesn\u2019t decrease either logarithmically or linearly. For CPM ads, there is a sort of plateau as they start costing more than 25 cents. For CPC ads, their number oddly vanished around under 20 cents, but a surprisingly high number of them cost between 20 and 25 cents, which seems to be their maximum cost. We can only really speculate as to why that is, but one guess is that there is some kind of increased competition for more valuable victims, driving the price of ads targeting valuable users higher than expected.<\/p>\n
![\"Figure](\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/inside-a-malicious-push-network-what-57m-logs-taught-us-figure-9.jpg\")
<\/p>\n
Figure 9. Number of ads observed per price bracket<\/p>\n
Apart from the country their victims are from, it is unclear if any of the other \u201cfeatures\u201d this threat actor offers to their publishers are valuable. For example, they have an \u201cHQ\u201d feature (presumably standing for \u201chigh quality\u201d), but the victims with that flag are not being pushed more expensive ads than anyone else. Their IP mismatch feature also doesn\u2019t seem to work, so the flag is often set to True despite the victim using the same IP as when they were sent ads. And with regards to their other FP prevention features, we could not verify any of them were reliable, as none of them ever triggered. Even if those features were working as intended, it seems like either: \u201cadvertisers\u201d do not trust them, as they have no impact on the bidding price for ads; or they do not care about who they advertise to, potentially because they have no other option to advertise their scams, and they have accepted that victims accidentally clicking their ads is the only way they can get traffic.<\/p>\n
The last factor we thought might influence the price of ads was their content. We classified ads according to their lure, trying to find out whether some ads were inherently more valuable. As Table 2 below shows, this does not appear to be the case. No matter the kind of ads, and the lure they use to deceive victims, they are all priced roughly the same.<\/p>\n
\n\n\n| Notification Lure<\/th>\n | Notification Count<\/th>\n | Victim Count<\/th>\n | Average CPM<\/th>\n<\/tr>\n<\/thead>\n |
\n\n| Gambling Scams<\/td>\n | 19,674,313<\/td>\n | 19,635<\/td>\n | $0.01<\/td>\n<\/tr>\n |
\n| Money<\/td>\n | 7,227,396<\/td>\n | 18,415<\/td>\n | $0.01<\/td>\n<\/tr>\n |
\n| Other<\/td>\n | 4,071,338<\/td>\n | 16,923<\/td>\n | $0.01<\/td>\n<\/tr>\n |
\n| Fake Notification<\/td>\n | 7,695,239<\/td>\n | 16,180<\/td>\n | $0.01<\/td>\n<\/tr>\n |
\n| Adult Content<\/td>\n | 2,981,009<\/td>\n | 15,884<\/td>\n | $0.02<\/td>\n<\/tr>\n |
\n| Security Alert<\/td>\n | 4,948,413<\/td>\n | 15,505<\/td>\n | $0.02<\/td>\n<\/tr>\n |
\n| Other Urgent Alerts<\/td>\n | 2,262,384<\/td>\n | 15,420<\/td>\n | $0.02<\/td>\n<\/tr>\n |
\n| Crypto Currencies<\/td>\n | 1,051,895<\/td>\n | 9,464<\/td>\n | $0.02<\/td>\n<\/tr>\n |
\n| Prohibited Content<\/td>\n | 1,087,706<\/td>\n | 9,336<\/td>\n | $0.01<\/td>\n<\/tr>\n |
\n| Fake News<\/td>\n | 463,588<\/td>\n | 7,706<\/td>\n | $0.02<\/td>\n<\/tr>\n |
\n| Government Scams<\/td>\n | 389,605<\/td>\n | 6,518<\/td>\n | $0.02<\/td>\n<\/tr>\n |
\n| Health Scam<\/td>\n | 152,825<\/td>\n | 2,170<\/td>\n | $0.01<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n Table 2. Number of notifications, victims, and the average CPM per lure category. (Note that victims can be counted more than once in this table if they have been pushed notifications with different lures.)<\/p>\n No matter what variable we tried to isolate, how much we tried to clean up our data to remove outliers and make sure we were not comparing apples to oranges, we couldn\u2019t find anything to explain the low price of those scam push notifications. One possible explanation is that the infrastructure was no longer economically viable.<\/p>\n Distributed Deniability<\/h3>\nThe operational characteristics observed in this push-notification monetization service align with patterns commonly seen across similar services in the gray-market advertising ecosystem. These patterns include the use of Telegram-based channels for affiliate recruitment and promotion, including Russian-language channels, as well as infrastructure and business models frequently associated with Eastern European push-monetization operations. Discussions on underground advertising forums regularly include complaints and allegations of deceptive practices directed at services exhibiting these characteristics. Together, these factors illustrate how responsibility and accountability are often diffused across interconnected services within this ecosystem.<\/p>\n In this service, the notification hyperlinks contain a rich set of unencrypted data. Every user click sends detailed information to their server that records the bidding process, images used in the notification, and data about the device. The message is assembled from components spread across commercial content distribution networks (CDNs) that market their services to gray-hat and black-hat advertising operations. Images are hosted on one service; user information is tracked on another. See Figure 10 for some of the component images in notifications from this service which are loaded from different providers.<\/p>\n \n ![\"Figure](\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/inside-a-malicious-push-network-what-57m-logs-taught-us-figure-10a.jpg\") \n ![\"Figure](\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/inside-a-malicious-push-network-what-57m-logs-taught-us-figure-10b.jpg\") \n<\/div>\n Figure 10. Individual images shown in browser notifications are fetched from dedicated servers run by separate commercial entities<\/p>\n Ultimately, the network is dependent on the services of a variety of other commercial entities to operate. Some of these are abused; their customer base includes both legitimate and sketchy actors. But others are consistently associated with infrastructure used in cybercriminal activity, whether by choice or circumstance. These providers, whether they be hosting providers or software services, make scam and malware distribution at scale possible. At the same time, each one is typically only one component of a very complicated operation. Regardless of where these commercial entities are registered, we believe the micro-segmentation of services that make this all possible is a structure that results in distributed operational responsibility.<\/p>\n Beyond the distributed nature of the affiliate advertising economy, many scammers view different types of fraud with relative morality. For instance, investment scams might be viewed as pure theft. But they perceive other types of digital fraud as lesser evils when the user agrees to terms and conditions (T&C). Of course, most users do not review these documents, and if they do, they are unlikely to understand the tangle of legalese, but scammers believe they are absolved of any wrongdoing by the \u201cfine print.\u201d<\/p>\n We\u2019ve noticed that many push monetization services have adopted language that warns the subscriber that \u201cnotifications may contain errors, inaccuracies, or content that you find objectionable.\u201d They, the transmitter of this information, accept no blame. They also sometimes include directions on how to change notification settings in the browser, even though users are unlikely to see these warnings. See Figure 11.<\/p>\n ![\"Figure](\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/inside-a-malicious-push-network-what-57m-logs-taught-us-figure-11a.jpg\")
\n![\"Figure](\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/inside-a-malicious-push-network-what-57m-logs-taught-us-figure-11b.jpg\") <\/p>\n
Figure 11. These screenshots show partially extracted terms and conditions from a commercial push monetization service. This service is not the subject of this paper and is shown solely as an illustrative example.<\/p>\n Advertising networks often have guidelines for the \u201ccreatives\u201d that are used in notifications. These requirements often walk a thin line<\/strong><\/a> between deception and outright lies. They might claim to reject messages like \u201cYour computer has HDD malfunction\u201d but allow \u201cYour computer might be damaged\u201d because it is \u201cless aggressive.\u201d We have studied several commercial affiliate advertising networks and have yet to find one that enforces their published guidelines.<\/p>\nAccording to the website of the platform that we analyzed, their compliance team reviews all advertising content and will purportedly reject deceptive messages. But the data included notifications like:<\/p>\n \n- \u201c\u00a1Android infectado con MALWARE!\u201d (Android infected with malware!)<\/li>\n
- \u201cSystem ben\u00f6tigt einen Scan\u201d (System needs a scan)<\/li>\n
- \u201cbellek dolu\u201d (memory full)<\/li>\n
- \u201c5 viruses detected!\u201d<\/li>\n
- \u201cWhatsApp ra\u010dun je blokiran\u201d (WhatsApp account blocked)<\/li>\n
- \u201cSparkasse: Zahlungseingang\u201d (Sparkasse Payment Received)<\/li>\n<\/ul>\n
From millions of push notifications, we saw these lures are the rule, not the exception. Until push notification networks distributing deceptive content place firmer controls on their affiliate content, we consider them a high risk. Fine print that puts the burden of fraud onto the victim is not sufficient.<\/p>\n |
![\"Figure](\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/inside-a-malicious-push-network-what-57m-logs-taught-us-figure-1.jpg\")
<\/p>\n![\"Figure](\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/inside-a-malicious-push-network-what-57m-logs-taught-us-figure-2a.jpg\")
![\"Figure](\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/inside-a-malicious-push-network-what-57m-logs-taught-us-figure-2b.jpg\")
\n<\/div>\n![\"Figure](\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/inside-a-malicious-push-network-what-57m-logs-taught-us-figure-3.jpg\")
<\/p>\n![\"Figure](\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/inside-a-malicious-push-network-what-57m-logs-taught-us-figure-4.jpg\")
<\/p>\n![\"Figure](\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/inside-a-malicious-push-network-what-57m-logs-taught-us-figure-5.jpg\")
<\/p>\n![\"Figure](\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/inside-a-malicious-push-network-what-57m-logs-taught-us-figure-6.jpg\")
<\/p>\n