Access to Information, Duke University, and The Media Trust: October Update

Since the beginning of July, a team of Duke researchers has been collaborating with The Media Trust, a private cybersecurity company, to investigate an under-researched area of cybersecurity risk: the impacts of undesired third-party code on internet users. The study involves analyzing two evolving datasets: one collected by The Media Trust, and the other by a security team at Duke’s Office of Information Technology (OIT).

The Media Trust has created synthetic user profiles that are designed to mimic the characteristics and behaviors of Duke students and faculty. Those synthetic profiles visit popular websites, and then The Media Trust scans the code that is delivered from those websites. The research team analyzes those results to reveal code that is provided by third parties, rather than domain owners, such as undesired code provided by online advertising. The three goals of that analysis are to determine: 1). the potential negative impacts of the code, 2). the domains that serve the code that could have negative impacts, and 3). the frequency with which the undesired code is being served. Meanwhile, the team from Duke OIT analyzes the degree to which its other cybersecurity tools identify this unintended code, and the internet domains that serve it, to real Duke students and faculty. With this two-pronged approach, Duke’s security team can take a deeper look at how third-party code interacts with its internet network’s users and can create more effective security responses with that information on-hand. 

In early September, one of my research peers, Chas Kissick, published an article that detailed the study’s findings from July. Since that time, the research team has analyzed the dataset for August as well. Therefore, this article will serve as a continuation of its predecessor, analyzing the trends in the findings from July and August to begin to explain the patterns of this undesired code, and the potential resulting risks on a month-to-month basis.

From a raw, numerical perspective, the July data provided our research team with the following information: The Media Trust conducted 325,493 scans using its synthetic Duke accounts, where each scan represented an interaction between the synthetic profile and an external domain. 792 of those 325,493 scans yielded a flag for undesired code which may cause risk to the user. Those 792 incidences break down categorically as such: 276 coronavirus scams, 272 browser add-ons/plugins, 159 heuristics, 52 phishing attacks (43 of which were perpetrated in 1 day, by a singular threat actor termed ICEPick-3PC by The Media Trust), 21 fake software download prompts, and 12 click fraud incidences. For a more in-depth understanding of each of these categories, see Chas Kissick’s work.

In August, The Media Trust conducted 722,066 scans using its synthetic Duke accounts. Of those 722,066 scans, only 364 of them yielded undesired code flags. Those 364 break down as follows: 3 coronavirus scams, 48 browser add-ons/plugins, 218 heuristics, 35 phishing attacks (10 by ICEPick-3PC), 32 fake software download prompts, and 28 click fraud incidences. It appears that something happened between these two months that caused the domains serving the undesired code to change their tactics. The question for the research team is: what?

In concert with the team from Duke, Pat Ciavolella, Digital Security and Operations Director at The Media Trust, has been digging into the dramatic decreases in total incidents (from 792 to 364), coronavirus scams (from 276 to 3), and browser add-ons (from 272 to 48). Their analysis of the decreases  has led both parties to one possible explanation: websites and advertising networks have realized that some of the third-party code that they were serving included material that violated domain policies and could cause harm to internet users. Since that realization, many of the advertising campaigns that were delivering undesired code have been discontinued or allowed to expire. This cleansing of the digital ecosystem could be one of the contributors to the dramatic decline in Coronavirus scams and Add-ons that the research team has discovered. More interestingly, it also appears that the declines in these two categories are primarily attributable to one key player.

By looking at specific campaigns that were serving undesired code in July, The Media Trust has been able to trace many of those campaigns back to large, popular websites. In week 2 of July, and in the weeks prior, Google was serving much of the advertising content and third-party code on those websites. In that same week, The Media trust detected 115 Coronavirus scams, all delivered through that undesired code. By week 3, that incidence number had dropped to 5, and since week 3, The Media Trust has not detected any measurable undesired code in these categories from Google-served advertising. Coronavirus scams accounted for 34.84% of the total incidences that The Media Trust detected in July. By August, the category had declined to less than 1%, yielding a total decrease of 34.02%. Whatever Google did, whether they actively removed those campaigns, or those campaigns simply expired, appears to have provided significant protections for users against the negative impacts of this third-party code.

The decreases in these Coronavirus scams could bode well for the future of the digital ecosystem. Third-party code creators commonly use global circumstances and current events as the backdrops for their campaigns, but it seems that websites and content providers have become aware of the scams for personal protective equipment and fake COVID-19 headlines.

It may appear that the 39.82% increase in Heuristics incidences (from 159 to 218) is bucking that trend. However, an analysis of the weekly average of that category demonstrates that the Heuristics incidences have not increased since July. By and large, the same threat actors have been using Heuristics attacks since the beginning of 2020, and they have been using them at relatively similar rates. The average weekly incidence of Heuristics in July was 40 cases per week; in August, it was about 55. However, that increase was driven by a single week where The Media Trust detected 88 Heuristic incidences. Apart from that week, the average weekly occurrence of this category has not increased notably since July.

Our research team plans to continue to analyze the results in future months to determine whether our initial conclusions are accurate and to see how the volume of these categories of undesired code changes over time.