This article is an excerpt from an article published by CSOOnline. It deals specifically with how spammers trick advertisers into thinking they have bought display media when, in fact, they have not.
Most of the contracts start off as display advertising, meaning an ad on a website that someone has to click. It’s a good bet that many of the major brands represented didn’t know their marketing campaigns were being pushed to email. The trick that ties everything together is converting email to display advertising.
“Basically, some affiliate companies are selling display advertising clicks to their customers, but what is hidden from them, much of what’s driving these clicks, is simply spam,” Spamhaus’ Anderson explained.
Several of the links used for a LifeLock campaign eventually landed on a registration page (archive copy) for the service, but the emails look like display ads. In 2015, Cloudmark reported on the LifeLock campaigns (archive link), including one that was similar to the offers RCM was sending earlier that year.
The LifeLock campaign was huge for RCM, generating thousands of dollars per-month in 2016 from AdDemand.
Another method of turning email into display advertising is to use fake search engines. Clicking a link inside an email will direct the recipient through a normal display advertising link and drop them onto a search results page, which displays ads as “search results” based on the topic of the email.
“Using the fake search engine trick is the most blatant way this is done. Yes, maybe the users are actually clicking on display ads presented within the fake search engine sites, but they are driven to those sites only through spam (nobody would just stumble across them accidentally). Even in this scheme, there are tracking codes embedded in every URL to ensure the correct spammers are getting paid for these so-called ‘display advertising’ clicks,” Anderson added.
Other business ties for RCM, include Demand Media (Leaf Group LTD.), where RCM runs two BIND rotator servers, registered under Pheasant Valley Marketing and eBox Inc.
Between October 2016 and January 2017, RCM collected $937,451.21 USD for their campaigns from various affiliate networks, including AdDemand, W4, AD1 Media (Flex), and Union Square Media. RCM campaign logs show business relationships with some of these companies dating back to July of 2015.
This is not the end:
The River City Media data breach exposed so many records and other internals, there was just no way to fit everything into a single story. In the coming days and weeks, Salted Hash will continue following the money and business connections of the group and report on additional developments.