Trojan horse turncoat ads

Dangu said eGobbler was probably able to advertise via Google using a Trojan horse technique, first building a reputation as a genuine advertiser by posting real ads.

In Australia and Germany, the group was initially posting ads for high-end women’s clothing outlets, which resulted in these real companies getting free advertising as a result of the fraudulent scheme, Dangu explained.

After running the inoffensive ads for a while, the scam advertiser will turn coat without warning, paying tens of thousands of dollars to push the bad ads. By the time the advertiser is blocked, the campaign has already been live for hours and seen by millions of people.

“They win, because they just got their two hours of success. And then they do it again next time,” Dangu said.

A Google spokesperson this month said their team would debrief to see how the ads featuring the photoshopped images of Albanese had been served to Australians.

“Ads that exploit the names and likenesses of public figures for financial gain are unacceptable,” they said. “When we find ads that violate our policies, we will remove them. The ad in question was removed within hours.”

The spokesperson said Google bad actors were becoming more sophisticated and achieving a greater reach, evolving their tactics in an attempt to evade detection. This includes a technique called cloaking, where Google reviewers are shown different content than what appears for the person subsequently viewing the published ad online.

Advertiser profiles set up by scammers can sometimes be based on inaccurate or fraudulent information, the Google spokesperson said.

Katherine Mansted, head of cyber intelligence at cybersecurity company CyberCX, said all sorts of illegal online activity spikes during this time of year because the bad actors knew companies were operating with a skeleton security staff and that the public was more likely to be spending time online.

“Whether we’re talking scammers, cyber criminals or nation states, they exploit critical holiday periods like Thanksgiving, like the Christmas shutdown.”

The latest suspected eGobbler attack occurred on the evening of November 26, about two days before Thanksgiving. Around the same time, similar ads were earning millions of impressions across Europe, as people in Germany, the United Kingdom and Sweden were beginning their day, Dangu said.

“The reason they target the US holidays is because they know that these tech companies are based in the US, and so there’s less attention [on security],” he said.

Although the ads ran on many different websites, including Australian news outlets, Dangu said they all originated from Google, which serves up ads to many third-party websites. He said Google was a prime target for major scam ad attacks because of its dominance of the global digital ad supply.

Mansted agreed, noting that while Google had been doing more to counter bad actors abusing its paid ads, “it’s not enough because it only takes an hour or an even shorter amount of time for potentially hundreds or thousands of people to be exposed to a malicious ad”.

More than 90 per cent of ad impressions traded via the ad tech supply chain passed through at least one Google service in 2020, the Australian Competition and Consumer Commission estimated.

The ACCC has raised concerns that this market dominance could harm Australian publishers and consumers. Google is facing two proposed Australian class action lawsuits over allegations the search giant engaged in anticompetitive conduct in the digital advertising market.

Google on the hook

Among the websites to be impacted by the shocking ads featuring Albanese were those belonging to The Age and The Sydney Morning Herald newspapers, published by Nine, the owner of this masthead. The ads sparked a flurry of reader complaints.

Nine has expressed frustration with Google about rising instances of these types of scam ads, some of which use artificial intelligence.

“We have raised a number of concerns directly with Google and are in active discussions with them to rectify the increase of inappropriate advertising through programmatic ad marketplaces,” a Nine spokesperson said.

“Like most major publishers, Nine utilises programmatic advertising which automatically serves digital advertising to readers. The ad in question was not approved by Nine, has no place on our platforms, and does not reflect the rigorous editorial standards that we uphold.

“While we took immediate action to remove and block the ad from our site, we apologise to any readers who were impacted or offended by it.”

Australia’s Financial Services Minister Stephen Jones said new laws currently before parliament would place an obligation on tech platforms such as Google to prevent this type of content being shared.

“The government’s legislation puts digital platforms on the hook for publishing scam content and gives them the choice to either prevent scams, or face hefty fines and compensation for victims.”

How the scam works

Some scam ads that showed the phoney images of Albanese were linked to a fake Nine News article. The headline read: “A new project called Quantum Ai has launched, offering every Australian the opportunity to earn an impressive $25,000 AUD per month, starting with just $400!”

People who clicked on the article were encouraged to register their name, email and phone number to sign up for the investment project. Instead, their details would have likely been provided to scammers.

Sergeant Alexander Kazagrandi, with the Australian Federal Police’s Joint Policing Cybercrime Co-ordination Centre, said once Australians registered their contact details with an investment scam website, they were typically contacted within a day or two, then asked to make a small initial deposit.

“Sometimes, they’ll be handed over to another agent or [the] so-called manager and prompted to invest more and more as time goes on. These relationships or these interactions can last days or several months,” he said.

“Sometimes, they will even offer the victim a small amount to withdraw to [give people the impression they have had] these significant earnings … unfortunately, when the rug is pulled, it’s quite often very difficult to recover those funds.”

A recent investigation by this masthead heard from criminal insiders and cybercrime investigators who said scam marketing companies, known as affiliates, could earn between $100 to $3000 in commission for passing on the details of a single victim to scammers.

Dangu said eGobbler would have multiple criminal partners to whom they could sell the personal data, estimating that the group could have made tens of millions of dollars from their latest scam advertising blitz.

He suspects the group has ties to China, based on the details of registered legal entities linked to the company.

“In the registration information, you would see Chinese residents registering companies in the US … [They are] very likely borrowed names that are just on paper and not really involved in actual schemes.”

Get the day’s breaking news, entertainment ideas and a long read to enjoy. Sign up to receive our Evening Edition newsletter.