‘Xindi’ Online Ad Fraud Botnet Exposed

Billions of dollars in ad revenue overall could be lost to botnet that exploits ‘Amnesia’ bug.

Online fraudsters have amassed a botnet of millions of infected machines that exploits a security flaw in a digital advertising technology in order to execute phony online ad impressions.

The so-called Xindi botnet was designed  to exploit a known vulnerability called Amnesia (CVE-2015-7266) in implementations of the Open RTB Internet advertising protocol. Unlike most online ad fraud attacks, it doesn’t use clickjacking-based click fraud, but rather, generates large numbers of phony ad impressions. According to researchers at Pixalate, which published a report today on the botnet, some 6- to 8 million machines at more than 5,000 enterprises are at risk of being used as bots in Xindi.

Jalal Nasir, CEO of Pixalate, says his firm has spotted traffic from the IP addresses of major Fortune 500 firms, government agencies, and universities, associated with Xindi. While it’s unclear if the IP addresses are spoofed or legitimate, he says the IP addresses used by Xindi are owned by those organizations, which include Citigroup; General Motors; Lowe’s; Marriott; Wells Fargo; California State University’s Office of the Chancellor; Columbia University; the University of Maryland; and many other big-name corporations and colleges.

“We are seeing some of those traffic patterns from IP addresses from these organizations,” Nasir says. “They [the attackers] could be doing IP-level spoofing” or are sitting behind these networks, he says. “We’re starting to share some of this data with those companies to investigate.”

Xindi, which was first spotted in October of 2014, is mostly hitting some big-name advertisers in the wallet, though, including Home Depot, Uber, McDonald’s, Pandora, Honda, Verizon, Nissan, and Monster, the report says.

Online advertising fraud has been thriving for some time: a study conducted last year by the Association of National Advertisers and security firm White Ops found that advertisers are losing $6.3- to $10 billion per year in online ad abuse.  One-fourth of bots conducting phony ad traffic were operating on Alexa Top 1000 sites, and the bots inflated monetized ad traffic by anywhere from five- to 50%. The bots were posting phony impressions that gave the illusion of actual ad views, and the fraudsters made money via cash-out points.

Other notorious ad-fraud botnets such as Chameleon and ZeroAccess have employed clickjacking and other ad-infection methods fpr their click-fraud activity.

Xindi’s M.O. represents a shift in ad fraud, Nasir says. “We are seeing a shift in compromising ad traffic and transactional-level knowledge not seen before,” he says.

Xindi’s ad-impression fraud works by exploiting the Amnesia vulnerability:  “This vulnerability allows Xindi to conceal the true status of an ad transaction, which in turn causes bidding engines to bid on more impressions per compromised host than originally intended. Xindi achieves this by hoarding multiple ad markups in a transient state for hours on end and replaying them in a burst,” the report says.

Nasir says the underlying issue is in how the Open RTB protocol is implemented. The protocol as-is does not include a “timeout” option, which allows phony ad impressions to “linger for hours,” he says. “There should be guidelines for what the timeout should be. That’s a proposal we have submitted” to the organization in charge of the Open RTB specification, he says.

Meantime, the researchers aren’t sure just how Xindi initially infects its bots. “That is difficult to find,” Nasir says. “We suspect it could be a malicious browser add-on.”

Fraud increased by 300% in online ad campaigns where Xindi was spotted, and Pixalate estimates that at the current rate, the ad industry could use up to $3 billion by the end of 2016 at the hands of Xindi.

Its activity has been increasing over the past year as well. The last big attack–in August of this year–executed billions of fake impressions, with 90% of the activity targeting US-focused ad campaigns.

“The digital advertising channel is the missing link to identifying new, emerging threats in cyber security. Until traditional anti-virus companies incorporate this channel, threats such as Xindi will continue to be overlooked,” says Branden Spikes, founder and CEO of Spikes Security. 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

More Insights