Alex Rymdeko Harvey - Malvertizing Like a Pro

sweet all right so today we're going to be doing a little bit talking about uh malvertising and kind of my take on it uh let's start with a little bit of introduction uh my name is Alex from Deco Harvey it is a really long last name and I know um previous Army has already been introduced and a couple places you can find me uh uh kill switch tgy on Twitter or my blog where I'm currently doing uh trying to build up a name for myself in the you know with the infoset community at cyers syndicates dcom uh I work for Varys group as a pentester uh some daily duties include anything from pen testing to Red teaming

and I really really enjoy it um it's been a great move uh to the northern VA area we're always hiring um although uh they this is not you know sponsored by varis group itself I always want to you know give a little shout out for taking me and and uh allow me to come down here and visit the Augustus Augusta area all right so uh kind of like a little bit of a warning I'm not a reverse engineering uh you know SME or expert by any means um I'm not doing this every day and this is really uh my take on what it would you know take to build out basically an ad campaign make

it effective and how to execute it um pure speculation of what I found open source- wise and uh we'll basically be covering some of the uh basics of uh ad based malware some ozen that go with it and uh my campaign meth methods and some of my uh epic failures so a little bit of overview uh we're going to cover what is malvertising what is a malvertising versus let's say a strategic or targeted malvertising uh campaign and what makes us so important uh you know what do I already know uh there's a lot of knowledge in this room uh potential methods uh maybe for social engineering you could learn something from this uh maybe Target a specific unknown group or

uh you know individuals within a demographic region uh and also you know what makes us so effective what tools do I need um and what tools are maybe the enemy using currently or attackers in the wild uh so let's take a look a little bit look at the uh current malware Trends taking place uh fishing is still very effective uh use it all the time it gets amazing click rates and uh with that comes a you know a large increase uh in security products in the in the realm um so attackers are moving away from that uh in the last year there been over a 350% increase uh with ad delivery itself uh secondary and trusted

uh C2 sources are being used with this um some of the most recent stuff and some interesting research has come out in the Las Vegas side uh with the cloud Duke uh tool sets and also um you know Hammer toss things like that using Twitter uh to disguise their C uh exploit kits from years ago are still working to this day people still not patching uh and it all combines together to make this extremely effective and most importantly it's out of band communication it's hard to detect what you trust it truly is um so let's talk a little bit about the money side of it uh delivering malware it makes some money so maybe I want to add

in a portion of uh a Mal like part of my malvertising campaign I want to deploy with it but at the same time uh you know it costs money to deploy this malware so I want to make a little bit up on the end uh maybe I want to you know do some click fraud to click on some text space ads or maybe even video ads like flash ads which are the newest and hottest thing right now uh they instant I guess you could say cash out value they uh return a higher uh impression rate and um and also delivering maybe say like ransomware uh you'll see it as we go forward into this this talk the

importance of uh the targeting aspect everything from what you make a year down to what you ate yesterday can pretty much be targeted today uh with the current analytic engines out there and of course legit business uh there's a lot of a lot of companies that spend uh millions of dollars a year to advertise on social media Google um ad uh ad campaigns stuff like this uh it cost Publishers over $20 billion do last year um in loss revenue between quick fraud and the increase of basically um uh Global adock uh blocking uh programs a lot of you guys probably even run like a script blocker things like that so let's cover what is malvertising um in

in my definition it's really the use and abuse of a legitimate source of uh let's say intelligence and then using that to be able to deploy and distribute your malware um and the interesting thing about this is there's so many ways to go about it uh there's no one right way to do it um we've seen notable cases in the past two years everything from compromised ad Camp uh companies to uh basically impersonating legitimate uh companies um and uh malare being hosted in ads themsel maybe doing some OBC and being able to inject ey frames things like that and also legitimate targeted campaigns uh the last one is is not being talked about much in the

past two weeks uh I've actually started seeing some more chatter uh within like the news media talking about uh social media as a possible like breeding ground for potential malware in the future um so this is kind of unique I'm kind of talking about something I don't think at least from my research that has been talked about much uh some core fundamentals so who are the major players in the ad campaign uh uh realm we have Google massive Facebook second and and second and play and Facebook uh has a really powerful analytic engine and that's what I use mostly for uh for my my targeting during my campaigns um some of the main delivery methods social

media we talked about that some sponsored search things like you see when you pull up your Google and right at the top you got you know uh the whatever company that you're possibly searching for and they're right at the top um most important compensation method that we're going to cover is uh cost per click and we'll see that later down when we actually start running some of the malware uh campaigns potential or theoretical campaigns uh and uh ease of deployment um it's available to anybody uh anybody anybody in this room can spill uh spin up a a Facebook page and be up and running within I would say 10 minutes to 20 minutes and uh they use Ma use

everything from taking payments from visa to uh p uh PayPal so makes it pretty easy for somebody that's malicious to stand this up and get rolling um so what are some of the benefits cost so yes it costs money to deliver let's say potential malare but at the same time your malare is also making you money and possibly let's say uh as some of the AP groups or I hate to use that word but Advanced threat out there uh as you may know they'll bring on let's say um they'll they'll they'll spread out a botn net with some basic tools some basic Trojan kits but then they'll find something interesting and they might want to stay planted there uh

they might bring on their secondary C2 stuff uh stuff like Hammer toss that was most recent in in the news things like that they're going to stick around and they're maybe going to you know so you might catch the initial exploitation but you're not going to catch a second one you're not going to catch the whole entire C2 running through Stog graphed uh um images it's going to be pretty hard to to go about that and uh measurable well Google analytics it's what I use during this whole thing it's easy to track your results everything's being built for you already it's already out there it's it's easy to build it can it can be easily

[Music]

targeted uh I think this is died sorry okay I don't know what happened there um sorry about that so let's talk a little bit about the analytics itself uh like I said before analytic engines at your fingertips they're all out there Google has one that's I find the most powerful it's free it's easy to integrate simple JavaScript code and it's you know unless they're uh blocking scripts it's it's pretty hard to you know it's it's not something that like people go out of the way usually to block uh so I talked about before Broad like a broad Target maybe I want to Target a specific ZIP code or maybe something specific uh job title uh things like that can all be

integrated into your campaigns uh and and most importantly it's extremely accurate uh I found it extreme po almost pretty scary to think of the stuff that you can actually integrate into some of these ads it's it I don't even know the legitimate like resource or reason behind picking some of that as we'll see uh as we move forward um and let's talk about some of the malvertising in the wild I don't necessarily have any reverse engine malware um I do have some samples and stuff like that on the side if anybody wants to hit me up after and I can pass you some of the stuff that's kind of um but like let's go cover

across like the top four and how they're kind of going about it add injection uh about I think about a year ago a company called AA Labs released a uh write up which I don't know what happened to it it's gone I haven't seen it they removed it from their blog but it did have a write up on some new malare that was being used to basically exploit uh uh your let's say a small business uh router take over the router uh reprogram DNS simply make it so that when you go to query a web page the Google analytic uh JavaScript code is actually pulled out and replaced with your ad uh it was pretty interesting and at the same time

it it it scares me because not only now they don't have to Target endpoints anymore now they can just go after your router and now they can feed their entire ad campaign making tons of money off of it without even touching one end point and it's probably pretty hard to detect when your router's been pwned um I've never had to find that uh maybe some of the Defenders out there have but it it may be pretty hard to detect and secondly passive collection of AD data this one's kind of scary and uh Google's been making some really big Headway in this this realm um for the longest time ad traffic was in HTTP uh so while you're

were browsing your website at https secure fine good and dandy but your site was leaking HTTP traffic the entire time for ad traffic and some isps got a good idea that hey maybe I can capture this take this data and then sell it to other companies um this was a discovered about a year ago in can in a talk in uh Canada and it was basically a man- in- the- middle uh kind of reproducing the same thing instead of injecting ads they were actually just collecting the data and moving forward um now the interesting thing about that talk was that they said it was possibly being sell or maybe the collection methods um you take that for what it

is uh so what about exploit within the ad traffic we talked about maybe injecting uh iframes things like that uh this is probably your more common one maybe using FL obstated flash exploits um being able to pass the review process and then being able to deploy it uh through the legitimate means maybe you know uh you go to submit a ad to Google and it's a flash video but in reality it's redirecting injecting let's say an ey frame something of the sort and pushing you off to a secondary exploit site um and then another noticeable notable case uh maybe some news sources that been uh you know exploited uh they were basically going after the ad

companies themselves taking over the ad companies and then placing their uh basically malicious ads legitimately on other main websites sites that you may trust uh I think there was cases of CNN some other uh major news companies and that's really the redirect and then basically drop an exploit kit as well um I think that one was particularly using like angular stuff of that sort and uh it was basically for click fraud activity so what what about the uh exploit kits thes um they're they are uh dramatically increasing and as they are increasing they're also evolving evolving uh quite rapidly uh Power likes um I'm sure a lot of you heard of it was registry based it was uh persistent uh

and it was quite scary for the time frame and it was interesting because the first versions uh where were just basically uh you know building that back door C uh C2 Channel but then the newer versions I think it was 1.7 uh from what samanic was saying basically uh spotted a ad clicking component that was built into it so you're starting to see it it's starting to catch on um now that was a very basic one it had like 15 to 20 different selections of possible ads that they were going to go after a click and it would just check for the C2 server hey what do I need to click now uh but more the advanced ones coverter

this is an exploit kit I think it's been around from uh 2014 time frame and it evolved from a standalone uh you know just drop the binary disc and then produce click fraud activity to now it's being wrapped up in packages uh for other exploit kits like nuclear pack and angular and it's being seen being used in the wild that way so that means that they've moved from just the basic simple binary to now you can wrap this entire process up onto other exploit kits and make it usable and that's probably why we're seeing that great increase of AD fraud activity so as a blue team Defenders maybe some of you guys are why should I

care um maybe you feel like you're pretty secure well in most cases the the security industry is increasing uh I mean like I feel like it's moving forward in the right direction online attack surface is reducing um no longer when I scan external during an operation am I most likely going to find something it's usually going to have to be through the means of fishing something of that sort and companies know that security companies know that they're spending a lot of money to develop uh you know platforms for uh let's say like fire themselves has a lot of like spam filtering stuff like that sort um and they're spending a lot of money investing into that so attackers know

that they need to find a different route um and with that comes the delivery method do you block Twitter Google or maybe even Facebook at your at your border routers um not many places do uh so it's a great breeding ground to deliver your malware uh all staying within that trusted Source we all trust these name brand sites and are they really protecting us it's a it's a serious question and most and we really have to start asking companies like that to you know explain how they go about like protecting against malware I mean they they say oh we don't allow malware to be in our ads that's really generic thank you but at the same time are they

actually checking so we're going to discover some of that um systematic problem why it really isn't an easy solution uh a lot of times campaigns like this may have to be run at a targeted side maybe something zero Day level flash exploits where we're seeing drop all the time so it's not like you know impossible and mostly importantly has to be funded this is not something that maybe you start up one day and you're just rolling with it you're probably going to need a couple K to get started and rolling um and we'll see that at the end as well kind of what my statistics were and things like that so uh now we covered some of the

basic core core fundamentals stuff like that uh let's take a look at uh you know how I went about delivering an ad targeted wise so I built a simple methodology and I kind of stuck to it I knew that I needed to you know select a uh a demographic location and I knew that I needed to select a targ with in there and I knew that I had to do some basic ozen research develop a campaign from it and then build some reputation development I knew it had to be enticing for somebody to click you don't build a fishing campaign um coming from a domain that's not even related to your target just doesn't happen usually uh

deployment and then all obviously deploy it so like I said before Facebook was my uh key method of use and I I wanted to uh I wanted to pick a couple different platforms but I realized I didn't have the time to explore all of them I only had a limited amount of time after work I have a family a lot of you probably do too um this is not my everyday job uh so I knew that I needed something fast that would work reliable and that would give me results and it seemed like the best one for me was Facebook it seemed cheap it was easy to set up um and it seemed like the reputation was easy to build

for me so some basic uh settings in there the location uh you can basically let's say like I want to Target I don't know for Gordon are or something of that sort or maybe the gusta area I can easily put that in um age may be an important factor to you may not be um gender those things didn't really matter to me but most importantly the demographics the selections under there are what makes this possible so let's uh let's say we have um a Target selected and we need to kind of understand what we're going after how do we calculate it how do we know how many people we're going to be hitting and at the same time

it can give you a metric to basically you know is it worth going after this demographic or is it not uh and most and the interesting thing here is that you know there's other nefarious means that you could use this kind of stuff for let's say you need to judge um organ an organization size in a certain area um now these are not often methods of what we do in the pent testing realm or open source um realm but at the same time does happen other countries are out there are trying to Target other organizations from Big corporations to government organizations and I feel like um even though Facebook's made some major changes since 2011 uh there was

some collegial research that came out that you know basically showing how easy it was to pinpoint down to the Persona layer uh and they did make some improvements but it's still just not enough uh so let's take a look at that so I want to Target let's say uh let's say some people in the Fort Gordon area within 25 miles I want to see how many potential people I could talk to within a military army navy Marine Corps within this area they give me 14,000 potential reach uh that seems pretty accurate to me I lived in this area before so I went and started doing some open source research and I found hey right on the

fort Goron website there's 13,000 active duty Army Navy Air Force guard and service members seemed a little too easy to me to you know to be able to find that information that simple um now this has some you know background out like there it's not as easy as this is pretty accurate there's people on social networks but I've also went after like companies like uh Walmart on the side and their headquarters and uh I think it was like Kansas or something of A Sort and it was not very accurate it was 50% so um it's hit or miss all although this is 90 I'd probably say anywhere between 90 and 50% accuracy um for selecting a

sample uh so let's talk a little bit about that ozen um a lot of you do know what ozen is I'm not trying to you know retach something that's simple but at the same time uh the the three important things we really want to uh you know Mark on here are the levels the physical logical and the individual Persona layer uh and the most important thing here is that we're linking physical to The Logical layer we're linking computers to people possibly and also the physical locations now we're able to deliver our malware that has been sought after for a long time by Advanced attack Group by Advanced attack groups and threat actors to deliver their malware to certain

locations if you ever look at a malare brief or any type of uh threat brief on a a specific actor they're going to tell you what like uh what likelihood of origin they were right and they're going to tell you a little bit about what they were going after um they'll usually give you like 50% in Russia 49% in Europe and this areas or and then maybe 20% Africa things like that and then you might not even see anything in America um and that's kind of important point when you look in Mal brief like that you're kind of like okay so where or who is this orienting source is this something maybe State side or is this some Source that's

only wants to mess with russian-based uh you know equipment or something like that maybe they're only targeting Russian based areas uh so that's an important question that you always have to keep keep in mind and now we have let's say a Target selection uh we have a couple possible uh you know people we want to go after or organizations we want to go after uh what what things do we have to think about we have to think about what are their work hours do we want to deliver at a time when they're at work or do we want to deliver when they're at home uh maybe surfing at their home computer accessing uh potentially uh let's say corporate

resources that maybe VPN may not be but I may want to Target that because it's most likely they're going to be out of date or they're not going to have the right patches for what I have uh and at the same time maybe I only want to Target that specific corporations network uh so there's important things you got to keep in play and then what system do I am I going after a a Linux based am I going after a Windows based and can Facebook really tell me that

information so you want to deliver your ads on a schedule no problem Facebook's got you covered they have a simple layout where you just select the block and say Hey Monday through Tuesday I want to engage my ad from 6:00 to 9: to 12 and then maybe a little bit after lunch and I want to stop or let's say I have an operating system I want to Target Facebook's got you covered again they say hey we have let's say primary Mac I want to primarily T Target Mac and I want to go after Safari they got that and scary enough with a lot of the mobile exploits that are currently being released uh you can go after certain

brands iOS devices Android or maybe even the specific phone type that you want to touch so there is there is some serious power here um a lot of times we have we have data and we we don't know how to use it or maybe correlate it um and in in many cases we're starting to see thread actors use this type of data to basically push forward with their campaign Define the end like user Hunter functions stuff like that uh harm jooy uh Will Will Sher if you know him he build this tool called uh bu tool this tool set called Power view um power up things like this they they give you post exploitation basically uh situational

awareness to be able to leverage and move throughout the network uh to Pivot possibly uh using tools like that they're they're critical in our Tool Set uh a lot of times everybody's all hyped up about the initial exploit but it's usually the stuff that's after is what you need to really worry about um things like wiggle it's interesting concept open source anybody can quer uh query a Mac SSID and uh and they're up and rolling um they can Orient attacker uh let's say you want to know where your potential Target is is it's things like this they're really helpful um some really notable uh programs are also mentioned in Honeybadger Tim tomes will be speaking later um really looking

forward to see what he's got today and if you haven't seen this and you're probably in this room and you might work within the IC Community um it's pretty scary scraping uh LinkedIn for for basically IC related accounts using keywords and they build a huge database called IC watch uh the transparency toolkit I don't necessarily agree with it um I don't think the reasons were there for the right reasons but um it's definitely scary and hacking team I know everybody's like uh you know been talking about this L lately and probably beating a dead horse but they had one interesting thing in there that I really found you know unique they had the ability to De anonymize locations based

on Wayland interfaces not just going past uh what's in the registry forensics artifacts but now they were able to basically tap in monitor your uh your Nick turn into monitor mode and boom oncl uncloaking physical locations based on that uh that's an important concept those are the kind of things that this this can help you um achieve your end goals so offensive targeting imagine where you can only target people with a certain job title maybe making a certain amount of money because you want to Target people that are high up making 100K plus to deliver my ransomware U I know that they'll most likely pay for their critical data or maybe um it's crime or collection methods maybe you

know maybe uh state sponsored malware something that is being used like this I don't know um I haven't seen any researchers support it but at the same time it's definitely worth bringing up before or maybe even bringing up the fact that it could be being done and maybe on onlen it um and and this could support the IC efforts in many countries and I know it's getting in deep water but it really could be used so let's talk about some of the traditional targeting fishing methods uh these are some basically uh blacked out versions of stuff that I've built for engagements with o embeded objects uh maybe even some like the OPM breach data stuff like

that things that people care about in in the government uh and they work they work they work quite often uh so let's talk about fishing very common known something probably almost everybody in this room knows how the simple methodology works and it's very successful in our engagements but at the same the same time these are the same principles I use to create my ad campaign the same type of Open Source research that you do ahead of time on your target I use those to create my ads um but there's a there's a there's a niche here that they don't have the ability to pinpoint demographics you only see a username and and an email address you don't know

necessarily who's that linked to or possibly you do maybe you know it's just linked to the recruiting team but you don't know what's behind there uh and that's really where targeting comes into play with this platform it gives you the ability to step past just the username and into their daily life and of course uh the days of dropping entire employee directories with a wild card are most likely over uh it's becoming kind of hard to detect some of the to grab like from a so from an internet pre uh presence to grab a lot of that data for uh fishing use and uh training has increased dramatically a lot of companies uh government organizations

they're all using some type of fishing training and have some type of SPF you know framework built into play to prevent a lot of the spam that's taking place today so let's combine it um I know that I want to build some type of social engineering campaign but at the same time I need to have something that's trending Facebook's got you don't worry or Twitter or even Google they have this great chart of the most trending topics so hey Ashley Madison that was kind of hot when I was doing this that's kind of interesting and at the same time I could be using these or pick a couple and just roll right away with it uh another interesting thing is

search engine optimization not necessarily Google search search engine optimization but really uh there's a tool set out there that I would say not so trustworthy people put together to basically let's say put Facebook likes on your post or add Twitter followers to your account things that build instant reputation and legitimacy when we look at an a Facebook uh stream and we're sitting there and we're like uh maybe looking for the next car video out there you know you're really interested in speed speed society's page and you're like oh wow that has 50,000 likes on it I'm probably more or more likely to click on that than the one that has zero likes and uh no no comments on it and

it's not trending that that'd be kind of hard to to to like um entice your users to go after so using tools like this you can basically build your reputation and also build your uh legitimacy I did try this with Facebook unfortunately a lot of the sites that were used to do this were actually cracked down within the past month or two uh Facebook has been making a pretty big stride to stop this clickjacking basically um uh method I I guess they have some like big analytics engine that they're trying to stop a lot of this stuff so I was able to do it with Twitter and we'll talk about it a little bit later and uh that'll be

interesting so what's this what does this really mean now as we talked about four we can uh we can physically Target to The Logical layer and now we can correlate location jobs and workplace salary all that kind of stuff so let's move into my onee campaign uh my setup I knew that I needed something simple reliable so I moved over and found something unique like the domain name that was this area and we'll we'll cover that the next I set up a VPS simple uh Dropbox uh sorry uh ocean um VPS and then I used the patches vhost in case I needed uh uh more domain names I didn't know how many ad campaigns I was going to run at the

time so I set all this up and I uh knew that I needed static content I know I need the site to look somewhat legitimate so that when Facebook reviewed my stuff they weren't just seeing a blank page with an index. HTML with some JavaScript in it that doesn't look too too legitimate um I knew I needed Google analytics as a backbone and I had $20 a campaign I was going to run two campaigns so 40 bucks how far will 40 bucks get me and some good ideas so I set up my Google analytics account I buy the domain Augusta cyber.com and I was up and running I knew I need to build a relevant page so I went to some logo

site built some cute logo slapped it on there and uh found the next cool cyber photo or whatever they had out there on Google and whipped it in there and next thing you know I was uh targeting cyber Personnel in Augusta in the Augusta region um I knew that I wanted to select the broad Target I wanted to see how effective it was from a geographical location so hey I knew Ashley Madison was hot I was definitely going to use that and I knew that there were I I've analyzed some of the dumps before and I knew that there was some interesting information in there regarding uh some of the csvs and Excel documents regarding uh credit card payment

and the locations of those credit card uh holders and I knew that that probably has been visualized somewhere out there so I know that I need to have a tagline it needed to be deceiving but not 100% the truth because the truth's not fun and enticing I need something that was enticing on the image side so I put together a clone website found this data Vis site that basically uh build out the entire Ashley Madison uh users by per capita and supplied it by ZIP code and I Clon that that website I was up and running and I knew that I need to build out a simple config so I need to alter some of the static code I didn't want

their Google script uh Google uh JavaScript going back to them from my website that would probably not look so good and so I removed all that but I left in the mirror tags from HT track uh they do Supply mirror tags um and I said hey if Facebook can't detect that I mirrored this site and leave the tags in statically then that's probably a problem and I knew that I needed to make sure that if this thing was shared that the proper meta d uh meta property tags were in place to share the picture um just so that that they would actually populate correctly um rather than what I was building because when you build out

your ads you can select the image rather than what's actually being used at the website and automatically pulled in from Facebook when they do their initial query um so I originally came up with this and it was this somebody tweeted this out and this is legitimate data and this was done it was um de anonymized somewhat um and I knew that hey people like videos like I click on videos all the time so I was like I'm definitely going to use a video didn't work they actually cared about this they actually said no you got to actually have a video in your HTML source to actually um to actually like go ahead and put a video marker on your

image so that didn't work so F too good but I came up with a different image I kind of Photoshopped out put a zip code in there Bluff the per capita usage and next thing you know is kind of up and running with the basically a Nifty tagline saying something about verified credit card users near your area uh and it seemed to work pretty good so I know that I wanted to set up an ad like I talked about before 25 milei radius within the gusta region I didn't really care about the the age group too much I knew that I could reach 270,000 people I wanted to optimize it but this time I wanted to kind of leave it open

uh but I definitely didn't want to go into Audience Network which is anything from an app to uh potential other sites I wanted to kind of keep this from Facebook that way I can keep a lot of the results in play um and the schedule I kind of left open as well uh second ad set up I want to do something a little more specific I knew that hey last year there was this chamber of conference meeting and uh there was this speech about here and there's been a lot of Buzz about that and I knew that cyber coming to this area so I knew my certain location of Target would be Fort Gordon area I

didn't select I'm not going to tell you the exact target I used you can infer that yourself figured out yourself however you may do um I don't plan on releasing any of this the data I collected but at the same time I knew that I needed a tagline I don't know home values everybody in this area talks about their home values and if you entice them to talk about their home values I guarantee they'll probably click on it that's what I was sing to my head so I knew that I needed to uh to move forward with something that was kind of deceiving and as well as it it targeted a specific uh let's say work

hours to kind of get the correlation to see if I could actually Target those type of people um so I came up with an ad uh simple um layout for Gordy and uptake and and 2% value and I knew that was uh that was going to probably probably do it so built the website build a simple website WordPress nothing specific I put some videos in there we don't even need to show yet but the most important thing here is that I removed that WordPress site within 10 minutes of of producing it I knew that I I knew that Facebook would review the site because from my logs I saw I saw them coming in but I didn't know how long it

would take them to figure out that I removed my original ad did can they CH detect change content well they can't for five days or seven days or I think it was 7 Days exactly how long this ad ran they didn't detect anything was suspicious nobody reported it and I even got some likes on it um add demographics so add demographics I knew that I wanted to Target A specific group um I'm not going to tell you that group that I targeted was 25 mile radius of this area and I was up and rolling uh and specifically in this point I want to make a note here that I use a desktop news feed I didn't use the right column

I don't you I was kind of thinking as a user I don't click on stuff on the right column ever that's usually just ads I'm looking in the middle middle column I'm looking for the data that's most likely shared by my friends family stuff of that sort so I I made sure it was only the uh the mobile and also the desktop Newsfeed I set up for a simple schedule from 9 12 lunch and then a little bit after work I didn't want it running at night probably not the users I wanted to Target they have work so uh add one had some decent analytics 164 hits uh over that time frame uh I started drilling down I said

is my original goal effective I wanted to Target by geographical location it was I had 88 hits out of the total 161 now the data here that you see may be a little skewed because remember 25 miles we're close to South Carolina important factor is I did not deselect traveling targets so I made a mistake there I I basically anybody that lived in the gusta region would be targeted but at the same time anybody traveling would also be targeted so if you want to do your own campaign maybe make it a little more accurate uh might be the way to go about it um all over from Atlanta all the way to to Martinez so uh they also have a kind of an

interesting tab with service providers kind of the browser to kind of see what I'm hitting and then uh tracking user agents is actually pretty simple uh with Google analytics and you can even look in your logs I mean those things are super uh specific for your user agent um you can tell everything from platform to what CPU they're even using in some cases uh second ad way more successful what was different this one was a website promotion versus a post promotion the first one was advertising my post for some reason Google uh seemed to have a better um or maybe maybe my uh SE Target was more well defined uh and my audience was more

receptive to it I don't know but I had 273 sessions with this one at the same price uh 175 of those were in Georgia and then a ton of those were within the uh the basically the gusta region area uh something interesting here we didn't notice before was the not set what is this not set service provider um because a lot of times AT&T all these these all come up as service providers and inside Facebook it said I only had 99% mobile feed uh like Impressions but on here it's telling me I have Chrome Safari all this other stuff what is this why is it coming Chrome I didn't understand what my what my statistics

were so I really had to ask myself am I heading my T Target geographically it's easy to say yes but what about the demographics am is it truly accurate um am I really hitting the ISP uh is or is the ISP kind of like maybe anonymizing me um some of the page interactions can be very helpful to see if you're actually hitting your Target and maybe some secondary research um of that 95 sessions that were not set uh I went through and did some post analysis on it and found out that they did resolve to some interesting domains um and this could be possibly to proper filtering or anization on Google side I don't actually know the answer to that um but

at the same time it's important to verify your results and you know maybe use a tool like just metadata written by Chris trer which is a pretty good one uh to do some of the basic IP analysis and then I want to know hey am I really hitting my target using face like maybe the likes and comments stuff like that uh all the stuff that I found the eight likes that are actually in in involved I did see that eight eight of them were affiliated with my target audience and I knew that I had to put this in context what's the impact here so I can Target fine great but what can one guy with

limited funds do he can run two ad campaigns he can get six hours in six hours you can get two ad campaigns up and he can easily engage over uh like 300 400 people um so I put it together calculation let's say if I had 10K a well-funded thre actor group and 160 hours of a month and I say I can bust out 26 unique ads within that month 100,000 plus unique engagements and at the same time at 9 cents per engagement uh that's pretty cheap with a 1.5 million uh potential reach so major findings just some on the Facebook side possibly uh the review process is obviously a joke couldn't detect a clearly cloned website the

Clone website still had the favicon uh logos static source of the original website did change around some and they also did scan did they even scan from hour I don't know nothing that I saw from my end indicated that they did it could have been all passive obviously so uh there's no real answer for that and I was not willing to test something of that sort um continuing monitoring um I did uh I did remove that one page within 10 minutes um at that time I I couldn't differentiate if Facebook went back and checked but as far as I could understand they didn't so that means within 10 minutes I could simply pull down my page

host a a full aone exploit server from met exploit and nobody would know and there's no way for you to even report this in Facebook if you click on that ad you can't right uh right click on it and even report it there's nothing there so are they really protecting us the answer is kind of Google moving uh he mo they mve to uh um encrypted ads as is June uh to prevent some of that you know in uh middle in the Man attack kind of stuff Facebook did recently start a negotiation with risk IQ and they did start monitoring uh pages to protect users from malicious ads that's an important fact maybe their their their

capability is not there but it will be in the future um and there's some really interesting collegial research on the on the net about detecting cloned websites and so it's there it it's it's out their fingertips they can easily integrate this kind of stuff um some of the basic tips before we uh wrap this up proper Recon is crucial soci engineering uh is a must for to be relevant to your Target and the holistic view of the ad everything has to come in account I didn't Target specifics like what they had to dinner or they travel things like that but you can imagine what you do every day could also be integrated into Facebook to Target your specific

user and I did make some mistakes along the way uh I did uh call out one of my buddies uh Jared axons he uh is one of the the guys on the ATD team and he found out that I did buy T followers and he pushed it out to the entire Dro list that I bought Twitter followers so I suggest you don't do that and uh yeah you don't want to be get caught buying Twitter bots in the SEC industry all right uh some lesson learn uh Twitter is a new source and not so much of a social source as I did do start collecting some uh statistics on it it didn't seem to run well um I didn't have

good results and it might just because the reason or the way people use Twitter is more for defined usage like I'm only going after looking for infos stuff and I only follow certain people I tried to build that reputation but it just didn't work um and most importantly it was scary easy for me to set this up and run with it a big shout out to a couple of my buddies uh Roberts and uh Matt I don't know if they're in here right now um but they helped me along the way they've been really uh instrumental uh team members and uh I really want to give them a big shout out and that's all I have any

questions goe

so I plan on reaching out to Facebook after this um oh okay sorry uh so the first question was uh was there a catch time correct um what immediate for like delivering the ad you're saying no there's about roughly about a 1 hour review process give or take depending on the time of the day and night they blow through within 10 minutes in the middle of the day you're looking at about an hour and then for the second question uh for the um the uh sorry say again the re the reach out to Facebook um I have not reached out to Facebook but I have seen that they worked with other uh institutes before uh University wise and I seem

like they probably be receptive and I probably will reach out to them after this um but anything else all right well we have some questions for you fores so first question come up with a trivia question while I'll hand out the first two come up with it on all right so um I'll let you give out the rubber ducky I'll give out the two books first one for a red [Music]

team

ad all right second second question uh so after Google and faceb the third most Microsoft right question yep what AP group and number specific uses Cloud dup tool set Buzby there you go9 RCS and um couple more numbers that be I know tiet here's the the numbers for the winners for the drawings um if you hear your number you can go to the pi pick up your prizes thanks man if you