Trade Body to Roll Out ‘TAG Threat Exchange’ Following FBI Bot Takedown

Threat-indexing system combating malware redirects as it takes the fight to fraudsters

TAG’s initiative has been built to bring bad actors spreading malware and generating fake traffic to justice. Getty Images
Headshot of Ronan Shields

Earlier this week, the U.S. Department of Justice indicted several foreign nationals alleging a digital advertising fraud scheme worth more than $30 million.

This followed an FBI-led investigation aided by the trade group the Trustworthy Accountability Group (TAG). In the first half of this year, TAG rolled out a beta version of a platform for ad-tech companies to share intel on suspicious activity with each other as well as with law enforcement.

Dubbed the “TAG threat exchange,” the platform lets participants, such as buy- and sell-side ad tech, communicate different types of attacks on their respective networks, such as IP addresses that generate fraud or data centers generating large volumes of bot traffic and/or malware.

“At the end of the day, it’s certainly the idea to start passing big information and big databases over to law enforcement,” said Mike Zaneis, CEO of TAG. “It won’t happen overnight, but someday my dream is to see [offenders] do the perp-walk with the criminal in handcuffs to jail, and that’s when TAG will have really achieved its goal.”

Opinions on the impact of fraud vary. A report published by Fraudlogix claimed that up to 12 percent of global ad traffic is fraudulent, with the U.S. market suffering from this phenomenon above the global average. Meanwhile, a 2017 study from the ANA and White Ops pegged the financial impact of the problem at $6.5 billion globally.

Zaneis went on to detail how TAG, which debuted under the auspice of other industry trade groups 4A’s, ANA and IAB, is now partnering with TruSTAR—a company specializing in building information-sharing hubs—to give the platform more scale and ad-tech companies a way to combat and report fraud.

“Let’s say ‘ad exchange A’ identified a set of IP addresses that are associated with a bot-net,” Zaneis said. “They share those IP addresses on the TAG threat exchange, and then everybody immediately knows to look for any traffic coming from them. So it becomes this cascading effect where the big platforms share information and the criminal operations are less effective.”

Paul Kurtz, CEO of TruSTAR, told Adweek the operation should be able to on-board members from the first quarter of next year and that participants in the program should be able to share intelligence in real-time. He predicted that the headlines generated by this week’s court proceedings around ad fraud would provide the impetus for widespread and rapid participation in the scheme.

Beta testers of the platform include some of the industry’s biggest players, like Google, OpenX and risk management firm The Media Trust. The platform is scheduled to open up to the ad-tech community in the first quarter of 2019.

Cooperation between TAG and law enforcement has been in place since its inception, but this coordination picked up the pace in 2017 when the trade group–whose primary remit is to tackle fraud, malware and internet piracy–was designated as a federal information sharing and analysis organization (ISAO).

TAG then kickstarted a beta version of the “threat exchange” earlier this year—it is important to note it was not involved with the aforementioned FBI investigation—with early efforts focused on ensuring players are sharing the right kinds of information and that the infrastructure was fit for purpose.

Presently, intel-sharing is focused on malware attacks that enter the advertising ecosystem via infected ad creatives, as this is the most widely reported complaint from media owners. Once such malware enters the ecosystem, it can redirect audiences from a publisher page to rogue websites which can subsequently infect their machines without their knowledge.

“Our industry is fighting a constant arms race against criminal actors bent on defrauding advertisers and hurting publishers through a variety of means including malware and ad fraud,” said John Murphy, global head of quality at OpenX.

A spokesman for The MediaTrust added: “From malvertising and redirects to data protection and ad quality violations, our expansive industry relationships will help facilitate the detection and sharing of threats propagating in the digital advertising supply chain.”

Although TAG’s “threat exchange” was not involved in the investigation unearthed earlier this week, the TAG Leadership Council met with “cross departmental investigators” at FBI headquarters when it convened in Washington D.C. last month to discuss such matters.

“The idea is that with these added [threat-sharing] capabilities, we really will be the hub for sharing that kind of information among [the] industry and with law enforcement,” added Zaneis.

According to the court papers unsealed earlier this week, the fraudulent activity occurred between Sept. 2014 and Dec. 2016, and it involved more than 5,000 fake domains and 1,900 computers. The defendants allegedly also leased more than 650,000 IP addresses, resulting in more than $7 million in revenue from fake advertising. So far, three of people have been arrested, while others remain at large, according to the DOJ.

As part of the investigation, the federal court allowed the FBI to take control of 31 internet domains and provided search warrants for 89 computer servers allegedly engaged in digital advertising fraud with the help of botnets. Google, White Ops, Microsoft and the ad-tech firm MediaMath also assisted the FBI in the investigation and taking down the botnets.

subsequent report published by Google also revealed details on the size and scope of the operation, which included more than 3 billion daily bid requests, 1 million compromised IP addresses and 700,000 active infected devices.

@ronan_shields Ronan Shields is a programmatic reporter at Adweek, focusing on ad-tech.