Thousands of websites belonging to US government agencies, leading universities, and professional organizations have been hijacked over the last half decade and used to push scammy offers and promotions, new research has found. Many of these scams are aimed at children and attempt to trick them into downloading apps, malware, or submitting personal details in exchange for nonexistent rewards in Fortnite and Roblox.
For more than three years, security researcher Zach Edwards has been tracking these website hijackings and scams. He says the activity can be linked back to the activities of affiliate users of one advertising company. The US-registered company acts as a service that sends web traffic to a range of online advertisers, allowing individuals to sign up and use its systems. However, on any given day, Edwards, a senior manager of threat insights at Human Security, uncovers scores of .gov, .org, and .edu domains being compromised.
“This group is what I would consider to be the number one group at bulk compromising infrastructure across the internet and hosting scams on it and other types of exploits,” Edwards says. The scale of the website compromises—which are ongoing—and the public nature of the scams makes them stand out, the researcher says.
The schemes and ways people make money are complex, but each of the websites is hijacked in a similar way. Vulnerabilities or weaknesses in a website’s backend, or its content management system, are exploited by attackers who upload malicious PDF files to the website. These documents, which Edwards calls “poison PDFs,” are designed to show up in search engines and promote “free Fortnite skins,” generators for Roblox’s in-game currency, or cheap streams of Barbie, Oppenheimer, and other popular films. The files are packed with words people may search for on these subjects.
When someone clicks the links in the poison PDFs, they can be pushed through multiple websites, which ultimately direct them to scam landing pages, says Edwards, who presented the findings at the Black Hat security conference in Las Vegas. There are “lots of landing pages that appear super targeted to children,” he says.
For example, if you click the link in one PDF advertising free coins for an online game, you are directed to a website where it asks for your in-game username and operating system, before asking how many coins you would like for free. A pop-up appears saying, “Last Step!” This “locker page” claims the free game coins will be unlocked if you sign up for another service, enter personal details, or download an app. “I’ve tested it hundreds of times,” Edwards says. He has never received a reward. When people are led through this maze of pages and end up downloading an app, entering personal details, or any number of required actions, those behind the scams can earn money.
These kinds of scams have been around for a while, ad fraud researchers say. But these stand out, as they all have links back to the advertising firm CPABuild and the members that work for its network, Edwards says. All the compromised websites that have PDFs uploaded are calling to command-and-control servers owned by CPABuild, Edwards says. “They’re pushing advertising campaigns into someone else’s infrastructure,” he says. Googling for a file linked to the PDFs brings up pages of results of compromised websites.
CPABuild’s website, which lists its legal registry in Nevada, describes itself as a “content-locking network first and foremost.” The company, which has existed since 2016, hosts tasks from its customers, such as giving people the chance to win money by submitting their email and postal code details. Then users of CPABuild, often known as affiliates, try to get people to complete these offers. They often do so via spamming links to YouTube comments or creating the kind of pop-up “locker” pages towards the end of the poison PDF click chain. This results-based process is known as a cost per action (CPA) by advertisers and marketers.
WIRED contacted multiple email addresses listed on CPABuild’s website, as well as sending questions via a contact form, but we did not receive any response. The company website does not name any individuals who are behind CPABuild and is sparse on overall details. The website claims it has “daily” fraud checks in place to catch bad actors abusing its platform, and its terms of service prohibit those using it from being involved in fraud and from sharing multiple kinds of content.
The website claims it has paid out more than $40 million to publishers and has thousands of templates and landing pages. Within CPABuild, there are various tiers of users. The website’s affiliate structure is displayed in an image on its homepage. Members can be categorized as managers, devils, demons, wizards, masters, and knights. In one video uploaded by a CPABuild member on August 11, an admin account can be seen sharing a message with users that indicates the company has taken steps to prevent the platform from being used for fraud. “We are still getting reports that CPABuild publishers are promoting offers in ways that violate our terms of service,” a message seen on the screen reads. Edwards’ research shows, however, that whatever efforts CPABuild has taken have failed to prevent its users from engaging in rampant fraud.
“CPA fraud, which includes cost per app install, is very common,” says Augustine Fou, an independent cybersecurity and ad fraud investigator, who reviewed a summary of Edwards’ findings. “Specialists like the ones identified in the research carve out a niche where they become the category leader in a particular kind of fraud,” Fou says. “Customers come to them for that speciality.”
Scores of websites are currently impacted by the PDFs. This week, the New York State Department of Financial Services removed PDFs uploaded after being contacted by WIRED. Ciara Marangas, a spokesperson for the department, says the issue was first identified in 2022, and following a review and additional steps, the files were removed.
In 2022, Edwards says, he alerted the US Cybersecurity Infrastructure Agency (CISA) to more than 50 compromised websites, which included the Oak Ridge National Laboratory and the Lawrence Berkeley National Laboratory. A spokesperson for Oak Ridge said it “immediately” responded to CISA’s alert, “deleted the suspicious content, and resolved the issue.” No data belonging to the laboratory was impacted, they say. Meanwhile, a spokesperson for Lawrence Berkeley National Laboratory said it cannot comment on the individual case but “no vulnerability has resulted in the compromise of systems for visitors” to its website. CISA’s .gov registry manager, Cameron Dixon, says when it is made aware of vulnerabilities in government websites, it notifies them and offers assistance. “In any given day, you could have a list this big of new victims,” Edwards says. (In 2020, Italy’s Computer Security Incident Response Team, CIRST, issued an alert about compromised domains Edwards had found.)
While there has been some reporting linked to potential CPABuild affiliates, Edwards says the scheme can fly under the radar, as the links in the process are passed through redirecting services, which mask their identity. Also, he says, the compromises can get overlooked as they are not as impactful as ransomware or other cyberattacks.
However, there are traces of activity linked to CPABuild members and affiliates spread across the web. Various users of CPABuild have uploaded videos to YouTube exposing how parts of the site work. One video shows someone using a “Fortnite skins generator” and a locker page that is created through CPABuild’s tools. Within another video, the kinds of offers hosted by CPABuild can be seen, including getting people to submit their email and postal code details, submitting their credit card details, installing mobile apps, and completing “general surveys.”
Hundreds of the content lockers on CPABuild’s website have been captured by the Internet Archive over the last seven years. One locker page called “Amazon gift cards” offers people the chance to complete a survey to “Win a $5,000 cash now” or to “enter” to win $25,000. Others push people to download apps, such as the Opera web browser, or enter their details to “get a $100 Roblox Game Card.” Popular kids games are frequently used as a lure for these “offers.”
“We hate this kind of stuff as much as you do, but it helps us to stay alive,” one locker page says. “Please fill in one quick form to get your password and show us your support.”
Website inspection tools, such as URLScan, show multiple suspicious domains communicating with CPABuild’s infrastructure, which is hosted by Amazon’s Web Services (AWS). Amazon’s trust and safety teams are looking at the results of Edwards’ research, says Patrick Neighorn, an AWS spokesperson. “AWS’s terms of service prohibit customers from using our services for any illegal or fraudulent activity, and our customers are responsible for complying with our terms and all applicable laws,” Neighorn says.
Meanwhile, gaming companies say examples of the websites hosting the locker pages are not legitimate. “These are scams,” says Jake Jones, senior communications manager at Epic Games, which created Fortnite. “Players have never been able to sell, gift, or trade in-game V-Bucks to another player or sell virtual items to one another,” he says. Similarly, James Kay, a spokesperson for Roblox, says that using third-party services to “buy, sell, trade or give away Robux” is prohibited, and people should avoid “offers” on websites that promise free in-game currency or other items.
Victoria Kivilevich, director of threat research at security firm KELA, says the company has seen CPABuild discussed on cybercrime and hacking forums. On one site, Kivilevich says, someone recommends creating a YouTube channel with stolen games and software content to attract videos. “The user recommends using CPABuild to place a content locker URL—apparently obtained through CPABuild—to the description of the videos and earn on visitors who click on the URL,” Kivilevich says, adding that there are frequent discussions about Fortnite and Roblox.
“Multiple users are looking for instructions on how to be approved on CPABuild and for accounts on CPABuild they can buy,” Kivilevich says.
While many of the poison PDFs push people towards scams, not all of them do. “It would appear that specific CPABuild clients are malware authors,” Edwards says. Sometimes, in the days after a negative article about China has appeared in the news, he says, some of these keyword-filled PDFs would appear and include words similar to the news articles. “The legitimate article will show up as the first result of the first page of a search, and then maybe three or four down would be honeypots,” he says. “On all of these pages, it was malware.”