DOCSLIB.ORG

Trojans, Click Fraud, and Money Appeals Are Just a Few of the Vectors That Help Malware Writers Take Advantage of Internet Users Mcafee Security Journal Fall 2008

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Security Vision from McAfee® Avert® Labs Fall 2008 SOCIAL ENGINEERING The World’s Leading Security Threat TROJANS, click fraud, and money appeals are just a few of the vectors that help malware writers take advantage of Internet users McAfee Security Journal Fall 2008 Editor Contents Dan Sommer Contributors Anthony Bettini Hiep Dang Benjamin Edelman Elodie Grandjean 4 The Origins of Social Engineering From Odysseus’ Trojan horse to Jeff Green phishing on the Internet: Deception just won’t go away. By Hiep Dang Aditya Kapoor Rahul Kashyap Markus Jacobsson 9 Ask and You Will Receive The psychology of social engineering: Karthik Raman Why does it work? By Karthik Raman Craig Schmugar 13 Social Engineering 2.0: What’s Next Click fraud appears one of the Statistics most likely threats that we’ll face in the near future. By Markus Jakobsson Toralv Dirro Shane Keats 16 The Beijing Olympics: Prime Target for Social Engineering Malware David Marcus The five rings, and other major events, are an irresistible attraction for François Paget malware authors. By Elodie Grandjean Craig Schmugar 22 Vulnerabilities in the Equities Markets Can hackers make money Illustrator from Patch Tuesday and other company news? By Anthony Bettini Doug Ross 28 The Future of Social Networking Sites Lots of money and users make Design social sites another magnet for malware. By Craig Schmugar PAIR Design, LLC 31 The Changing Face of Vulnerabilities Social engineering tricks can Acknowledgements lead users into holes in software. By Rahul Kashyap Many people helped create this issue of the McAfee Security Journal. We would like to cite a number of the key 34 Typosquatting: Unintended Adventures in Browsing Incautious web contributors: the senior executives at browsing can lead to the unexpected. By Benjamin Edelman McAfee, Inc. and McAfee Avert Labs who have supported this creation; our 38 Whatever Happened to Adware and Spyware? Tougher laws may review board—Carl Banzhof, Hiep Dang, have tamed adware, but PUPs and Trojans remain. By Aditya Kapoor David Marcus, Craig Schmugar, Anna Stepanov, and Joe Telafici; our 44 Statistics How risky are top-level domains? By David Marcus authors and their managers and teammates who have supported them with ideas and comments; marketing mavens Cari Jaquet, Mary Karlton, Beth Martinez, and Jennifer Natwick; public relations pros Joris Evers, his world- wide team, and Red Consultancy Ltd.; our design agency, Pair Design; our printer, RR Donnelley; and Derrick Healy and his mates in our Cork, Ireland, localization office, which has translated this publication into many languages. Thanks to all; we couldn’t have achieved this without you! Dan Sommer Editor Like it? Hate it? Send your comments to [email protected]. ‘McAfee Security Journal’ Debuts By Jeff Green Welcome to the first issue of the McAfee Security Journal. We kick off with a look back at the history of deception. Then We call this a first issue, but we’re not really producing this pub- we peer into the psychology of why these attacks work. Next lication for the first time. We have renamed the journal that we we look ahead to how social engineering might evolve during have, until recently, called (depending on the country you read the next few years. The 2008 Olympics in Beijing have ended, it in) McAfee Sage or the McAfee Global Threat Report. In the but malware authors once again attempted to fool sports fans McAfee Security Journal, you’ll find the same outspoken attitude into visiting bogus web sites. Is it possible to make money in the as well as all the dynamic content you have come to expect stock market by timing events such as Microsoft’s Patch Tuesday from the best researchers and authors in computer security or spoofing company news? Our extensive research will offer an research: the experts at McAfee® Avert® Labs. In this issue, answer. What’s next with social networking sites? Will security we take aim at the most insidious and pervasive of all threat tighten up, or are they doomed to be easy targets because of vectors—social engineering. overly trusting users? We’ll also look at how malware writers attack software vulnerabilities and take advantage of typosquat- Free Tibet! New images of World War 3! IRS Tax Break Secrets! ting—the exploitation of incorrectly typed web requests. Our New Gas Saving Technologies! Cheap Medication Online! final article will answer the question “Whatever happened to adware and spyware?” We’ll finish off with some statistics that The list could easily go on, but we hope the point is clear. Effec- show the varying degree of threats to top-level domains around tive and seductive messaging is critical to the success of malware the world. writers and identity thieves today, and more so now than ever before. Social engineering, however, as a method of bilking We hope you find this issue as challenging and thought provok- someone is certainly not new. It has existed since humans have ing as we do. Thanks for joining us once again as we journey into been communicating with one another. You have something I the depths of computer security. want. I want to talk you into giving it to me or into doing some- thing I want you to do. Social engineering is possibly the most difficult of all threats to combat due to the human element. The easiest way to steal someone’s identity might just be to ask for it. Jeff Green is senior vice-president of McAfee Avert Social engineering techniques—Ponzi schemes, confidence tricks, Labs and Product Development. He has worldwide pyramid schemes, simple fraud, phishing, or spam—all follow responsibility for McAfee’s entire research organiza- similar paths. Some of these attacks are physical, while others are tion, located throughout the Americas, Europe, and digital, but all have elements in common. They have the same Asia. Green oversees research teams focused on viruses, hacker/targeted attacks, spyware, spam, aim and in many cases may even use the same techniques. The phishing, vulnerabilities and patches, and host and goal of them all is to manipulate victims through a “bug” in the network intrusion technologies. He also leads human hardware. They all create scenarios that are designed to long-term security research to ensure that McAfee persuade victims to release information or perform an action. stays ahead of emerging threats. We have assembled another outstanding collection of researchers and authors to analyze and illustrate this topic for you. We’ve even broken new ground for our journal: this issue marks the first time we have guest contributors. We start with two of the finest: Dr. Markus Jacobsson of the Palo Alto Research Center and Professor Benjamin Edelman of the Harvard Business School. FALL 2008 3 The Origins of Social Engineering By Hiep Dang One would be hard pressed today to read a news article or book about computer security without coming across the term social engineering more than once. Popularized by Kevin Mitnick (arguably the most infamous social punished mortals by withholding fire. However, in yet another engineer in the modern computing era), social engineering is in act of social engineering against Zeus, Prometheus stole “the essence the art of persuasion—convincing individuals to disclose far-seen gleam of unwearying fire in a hollow fennel stalk” from confidential data or perform some action. Although social engi- Mount Olympus and bequeathed it to man. As punishment for neering is a contemporary term, the techniques and philosophies his acts, Prometheus was chained to a rock, where every day behind it have been around as long as humanity itself. We find an eagle would come and eat his liver, which would grow back stories of deception and manipulation in the pages of history, again at night. As a punishment for man, Zeus created the first folklore, mythology, religion, and literature. woman, Pandora, who brought with her a jar that she opened out of curiosity, releasing countless plagues. Prometheus: The God of Social Engineering? Jacob and Rebekah’s Phishing Attack From the Old Testament comes the story of Jacob and his mother, According to Greek mythology, humanity’s proficiency in social Rebekah, who used a social engineering technique that is the engineering today is probably a direct result of its greatest foundation of today’s phishing attacks—making the victim mentor: Prometheus, who was so skilled in this craft that he believe that the phisher is someone else. Jacob’s father and could trick Zeus, the king of gods. In Theogony and Works and Rebekah’s husband, Isaac, had gone blind in the last years of his Days, the epic poet Hesiod tells the story of Prometheus, a Titan life. As he prepared for death, he instructed his oldest son, Esau, known for his wily ways and cunning tricks. He is credited for to “hunt game for me, and prepare for me savory food, such the creation of man by molding him out of clay. In what became as I love, and bring it to me that I may eat; that I may bless you known as the “Trick at Mecone,” Prometheus offered Zeus two before I die.” (Genesis 27:2– 4.) Wanting Jacob instead of Esau choices to settle a dispute between the gods and mortals. One to receive Isaac’s blessings, Rebekah devised a plan. Jacob was offering was ox meat stuffed inside an ox’s stomach, the other reluctant at first, saying “Behold, my brother Esau is a hairy man, was an ox bone covered with shining fat. One was nourishment and I am a smooth man. Perhaps my father will feel me, and I wrapped in a vile covering while the other was an inedible shall seem to be mocking him, and bring a curse upon myself choice, though visually tantalizing.
Recommended publications
  • Symantec Report on Rogue Security Software July 08 – June 09

    Symantec Report on Rogue Security Software July 08 – June 09

    REPORT: SYMANTEC ENTERPRISE SECURITY SYMANTEC REPORT: Symantec Report on Rogue Security Software July 08 – June 09 Published October 2009 Confidence in a connected world. White Paper: Symantec Enterprise Security Symantec Report on Rogue Security Software July 08 – June 09 Contents Introduction . 1 Overview of Rogue Security Software. 2 Risks . 4 Advertising methods . 7 Installation techniques . 9 Legal actions and noteworthy scam convictions . 14 Prevalence of Rogue Security Software . 17 Top reported rogue security software. 17 Additional noteworthy rogue security software samples . 25 Top rogue security software by region . 28 Top rogue security software installation methods . 29 Top rogue security software advertising methods . 30 Analysis of Rogue Security Software Distribution . 32 Analysis of Rogue Security Software Servers . 36 Appendix A: Protection and Mitigation. 45 Appendix B: Methodologies. 48 Credits . 50 Symantec Report on Rogue Security Software July 08 – June 09 Introduction The Symantec Report on Rogue Security Software is an in-depth analysis of rogue security software programs. This includes an overview of how these programs work and how they affect users, including their risk implications, various distribution methods, and innovative attack vectors. It includes a brief discussion of some of the more noteworthy scams, as well as an analysis of the prevalence of rogue security software globally. It also includes a discussion on a number of servers that Symantec observed hosting these misleading applications. Except where otherwise noted, the period of observation for this report was from July 1, 2008, to June 30, 2009. Symantec has established some of the most comprehensive sources of Internet threat data in the world through the Symantec™ Global Intelligence Network.
  • 2020 Identity Theft Statistics | Consumeraffairs

    2020 Identity Theft Statistics | Consumeraffairs

    2020 Identity Theft Statistics | ConsumerAffairs Trending Home / Finance / Identity Theft Protection / Identity theft statistics Buyers Guides Last Updated 01/16/2020 News Write a review 2020Write a review Identity theft statistics Trends and statistics about identity theft Learn about identity theft protection by Rob Douglas Identity Theft Protection Contributing Editor In 2018, the Federal Trade Commission processed 1.4 million fraud reports totaling $1.48 billion in losses. According to the FTC’s “Consumer Sentinel Network Data Book,” the most common categories for fraud complaints were imposter scams, debt collection and identity theft. Credit card fraud was most prevalent in identity theft cases — more than 167,000 people reported a fraudulent credit card account was opened with their information. Identity theft trends in 2019 In the next year, the Identity Theft Resource Center (ITRC) predicts identity theft protection services will primarily focus on data breaches, data abuse and data privacy. ITRC also predicts that https://www.consumeraffairs.com/finance/identity-theft-statistics.html 2020 Identity Theft Statistics | ConsumerAffairs consumers will become more knowledgeable about how data breaches work and expect companies to provide more information about the specific types of data breached and demand more transparency in general in data breach reports. Cyber attacks are more ambitious According to a 2019 Internet Security Threat Report by Symantec, cybercriminals are diversifying their targets and using stealthier methods to commit identity theft and fraud. Cybercrime groups like Mealybug, Gallmaker and Necurs are opting for off-the-shelf tools and operating system features such as PowerShell to attack targets. Supply chain attacks are up 78% Malicious PowerShell scripts have increased by 1,000% Microsoft Office files make up 48% of malicious email attachments Internet of Things threats on the rise Cybercriminals attack IoT devices an average of 5,233 times per month.
  • Cyber Threats to Mobile Phones Paul Ruggiero and Jon Foote

    Cyber Threats to Mobile Phones Paul Ruggiero and Jon Foote

    Cyber Threats to Mobile Phones Paul Ruggiero and Jon Foote Mobile Threats Are Increasing Smartphones, or mobile phones with advanced capabilities like those of personal computers (PCs), are appearing in more people’s pockets, purses, and briefcases. Smartphones’ popularity and relatively lax security have made them attractive targets for attackers. According to a report published earlier this year, smartphones recently outsold PCs for the first time, and attackers have been exploiting this expanding market by using old techniques along with new ones.1 One example is this year’s Valentine’s Day attack, in which attackers distributed a mobile picture- sharing application that secretly sent premium-rate text messages from the user’s mobile phone. One study found that, from 2009 to 2010, the number of new vulnerabilities in mobile operating systems jumped 42 percent.2 The number and sophistication of attacks on mobile phones is increasing, and countermeasures are slow to catch up. Smartphones and personal digital assistants (PDAs) give users mobile access to email, the internet, GPS navigation, and many other applications. However, smartphone security has not kept pace with traditional computer security. Technical security measures, such as firewalls, antivirus, and encryption, are uncommon on mobile phones, and mobile phone operating systems are not updated as frequently as those on personal computers.3 Mobile social networking applications sometimes lack the detailed privacy controls of their PC counterparts. Unfortunately, many smartphone users do not recognize these security shortcomings. Many users fail to enable the security software that comes with their phones, and they believe that surfing the internet on their phones is as safe as or safer than surfing on their computers.4 Meanwhile, mobile phones are becoming more and more valuable as targets for attack.
  • Solutions for Increased Productivity Simple “Do-It-Yourself” Tips For

    Solutions for Increased Productivity Simple “Do-It-Yourself” Tips For

    _ Solutions for Increased Productivity Simple “Do-it-Yourself” tips for speeding up your Computer So your computer is running slow. There are numerous things that can cause a slow PC. They are: • Spyware Programs running in the background without your knowledge. (Programs that spy on your surfing habits, etc, and report this info to someone else.) • Viruses, Trojans and other forms of Malware ( Mal icious Soft ware ). • Fragmented File Systems. • Lack of Hard Drive Space. • System Tray Overload After we look at these 5 “Anti-Productivity” Scenarios, we will look at ways of dealing with them, and bringing your system back up to speed. Spyware Let’s start off with Spyware. Spyware is software installed without your knowledge. How does this software get installed without you knowing about it, you ask? Remember the old saying, “The best things in life are free.” Well, as it turns out, Software isn’t one of them. You see, just because it is free for you (financially speaking), the company is still making money on it. Yes, I know.. you have the free version, and there is a full version, which you can buy. But, even the free version is making the software company money. How you ask? Spyware. This is how it works. A Big Software Company, lets call them “ Company A ”, has a product that they want to put on the market, but they don’t want the user to have to pay for it. They still however, want to make money off it though. How, you ask? This is where the Little Software Company (“ Company B ”) comes into the picture.
  • Fraudware How It Works and How to Prevent It from Attacking Your System a Fast Rhino Presentation to the Vistoso Computer Society November 11, 2012

    Fraudware How It Works and How to Prevent It from Attacking Your System a Fast Rhino Presentation to the Vistoso Computer Society November 11, 2012

    Fraudware How it works and how to prevent it from attacking your system A Fast Rhino Presentation to the Vistoso Computer Society November 11, 2012 Before we jump in to Fraudware, we should most likely begin by defining "Malware ", which is short for "Malicious software". We've all heard a lot in the past about viruses, adware, & spyware. Today, the industry basically refers to just about any software-based threat as "Malware". More specifically, Malware is a term used to define software that is intended to disrupt the operation of a computer, collect sensitive data, or gain access to private computer systems. Its definition is always expanding since new exploits continue to evolve. Malware consists of a broad spectrum of techniques used to infect systems, including viruses, worms, Trojan horses, rootkits, backdoors and drive-by downloads. Each of these operate differently, however, attacks can very often include a combination of these methods. And, although many of you in this room may already be aware of these, some of you may not, so please bear with me as we go through a basic understanding of these. A virus is a program that infects executable software. When it runs, it allows the virus to spread to other executables. In the spring of 1999, a man named David L. Smith created a computer virus based on a Microsoft Word macro. He built the virus so that it could spread through e-mail messages. Smith named the virus "Melissa," saying that he named it after an exotic dancer from Florida. "Melissa" was one of the first major computer viruses to get the public's attention.
  • We Are All Rwandans”

    We Are All Rwandans”

    UNIVERSITY OF CALIFORNIA Los Angeles “We are all Rwandans”: Imagining the Post-Genocidal Nation Across Media A dissertation submitted in partial satisfaction of the requirements for the degree Doctor of Philosophy in Film and Television by Andrew Phillip Young 2016 ABSTRACT OF DISSERTATION “We are all Rwandans”: Imagining the Post-Genocidal Nation Across Media by Andrew Phillip Young Doctor of Philosophy in Film and Television University of California, Los Angeles, 2016 Professor Chon A. Noriega, Chair There is little doubt of the fundamental impact of the 1994 Rwanda genocide on the country's social structure and cultural production, but the form that these changes have taken remains ignored by contemporary media scholars. Since this time, the need to identify the the particular industrial structure, political economy, and discursive slant of Rwandan “post- genocidal” media has become vital. The Rwandan government has gone to great lengths to construct and promote reconciliatory discourse to maintain order over a country divided along ethnic lines. Such a task, though, relies on far more than the simple state control of media message systems (particularly in the current period of media deregulation). Instead, it requires a more complex engagement with issues of self-censorship, speech law, public/private industrial regulation, national/transnational production/consumption paradigms, and post-traumatic media theory. This project examines the interrelationships between radio, television, newspapers, the ii Internet, and film in the contemporary Rwandan mediascape (which all merge through their relationships with governmental, regulatory, and funding agencies, such as the Rwanda Media High Council - RMHC) to investigate how they endorse national reconciliatory discourse.
  • Address Munging: the Practice of Disguising, Or Munging, an E-Mail Address to Prevent It Being Automatically Collected and Used

    Address Munging: the Practice of Disguising, Or Munging, an E-Mail Address to Prevent It Being Automatically Collected and Used

    Address Munging: the practice of disguising, or munging, an e-mail address to prevent it being automatically collected and used as a target for people and organizations that send unsolicited bulk e-mail address. Adware: or advertising-supported software is any software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used. Some types of adware are also spyware and can be classified as privacy-invasive software. Adware is software designed to force pre-chosen ads to display on your system. Some adware is designed to be malicious and will pop up ads with such speed and frequency that they seem to be taking over everything, slowing down your system and tying up all of your system resources. When adware is coupled with spyware, it can be a frustrating ride, to say the least. Backdoor: in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice), or could be a modification to an existing program or hardware device. A back door is a point of entry that circumvents normal security and can be used by a cracker to access a network or computer system. Usually back doors are created by system developers as shortcuts to speed access through security during the development stage and then are overlooked and never properly removed during final implementation.
  • A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics

    A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics

    UNIVERSIDAD POLITECNICA´ DE MADRID ESCUELA TECNICA´ SUPERIOR DE INGENIEROS INFORMATICOS´ A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics PH.D THESIS Platon Pantelis Kotzias Copyright c 2019 by Platon Pantelis Kotzias iv DEPARTAMENTAMENTO DE LENGUAJES Y SISTEMAS INFORMATICOS´ E INGENIERIA DE SOFTWARE ESCUELA TECNICA´ SUPERIOR DE INGENIEROS INFORMATICOS´ A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF: Doctor of Philosophy in Software, Systems and Computing Author: Platon Pantelis Kotzias Advisor: Dr. Juan Caballero April 2019 Chair/Presidente: Marc Dasier, Professor and Department Head, EURECOM, France Secretary/Secretario: Dario Fiore, Assistant Research Professor, IMDEA Software Institute, Spain Member/Vocal: Narseo Vallina-Rodriguez, Assistant Research Professor, IMDEA Networks Institute, Spain Member/Vocal: Juan Tapiador, Associate Professor, Universidad Carlos III, Spain Member/Vocal: Igor Santos, Associate Research Professor, Universidad de Deusto, Spain Abstract of the Dissertation Potentially unwanted programs (PUP) are a category of undesirable software that, while not outright malicious, can pose significant risks to users’ security and privacy. There exist indications that PUP prominence has quickly increased over the last years, but the prevalence of PUP on both consumer and enterprise hosts remains unknown. Moreover, many important aspects of PUP such as distribution vectors, code signing abuse, and economics also remain unknown. In this thesis, we empirically and sys- tematically analyze in both breadth and depth PUP abuse, prevalence, distribution, and economics. We make the following four contributions. First, we perform a systematic study on the abuse of Windows Authenticode code signing by PUP and malware.
  • Technical Reference for Microsoft Sharepoint Server 2010

    Technical Reference for Microsoft Sharepoint Server 2010

    Technical reference for Microsoft SharePoint Server 2010 Microsoft Corporation Published: May 2011 Author: Microsoft Office System and Servers Team ([email protected]) Abstract This book contains technical information about the Microsoft SharePoint Server 2010 provider for Windows PowerShell and other helpful reference information about general settings, security, and tools. The audiences for this book include application specialists, line-of-business application specialists, and IT administrators who work with SharePoint Server 2010. The content in this book is a copy of selected content in the SharePoint Server 2010 technical library (http://go.microsoft.com/fwlink/?LinkId=181463) as of the publication date. For the most current content, see the technical library on the Web. This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. © 2011 Microsoft Corporation. All rights reserved. Microsoft, Access, Active Directory, Backstage, Excel, Groove, Hotmail, InfoPath, Internet Explorer, Outlook, PerformancePoint, PowerPoint, SharePoint, Silverlight, Windows, Windows Live, Windows Mobile, Windows PowerShell, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication.
  • Torward: DISCOVERY, BLOCKING, and TRACEBACK of MALICIOUS TRAFFIC OVER Tor 2517

    Torward: DISCOVERY, BLOCKING, and TRACEBACK of MALICIOUS TRAFFIC OVER Tor 2517

    IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 12, DECEMBER 2015 2515 TorWard: Discovery, Blocking, and Traceback of Malicious Traffic Over Tor Zhen Ling, Junzhou Luo, Member, IEEE,KuiWu,Senior Member, IEEE, Wei Yu, and Xinwen Fu Abstract— Tor is a popular low-latency anonymous communi- I. INTRODUCTION cation system. It is, however, currently abused in various ways. OR IS a popular overlay network that provides Tor exit routers are frequently troubled by administrative and legal complaints. To gain an insight into such abuse, we designed Tanonymous communication over the Internet for and implemented a novel system, TorWard, for the discovery and TCP applications and helps fight against various Internet the systematic study of malicious traffic over Tor. The system censorship [1]. It serves hundreds of thousands of users and can avoid legal and administrative complaints, and allows the carries terabyte of traffic daily. Unfortunately, Tor has been investigation to be performed in a sensitive environment such abused in various ways. Copyrighted materials are shared as a university campus. An intrusion detection system (IDS) is used to discover and classify malicious traffic. We performed through Tor. The black markets (e.g., Silk Road [2], an comprehensive analysis and extensive real-world experiments to online market selling goods such as pornography, narcotics validate the feasibility and the effectiveness of TorWard. Our or weapons1) can be deployed through Tor hidden service. results show that around 10% Tor traffic can trigger IDS alerts. Attackers also run botnet Command and Control (C&C) Malicious traffic includes P2P traffic, malware traffic (e.g., botnet servers and send spam over Tor.
  • Spyware and Adware Continue to Present Substantial Harms to Internet Users and to the Internet As a Whole

    Spyware and Adware Continue to Present Substantial Harms to Internet Users and to the Internet As a Whole

    Testimony of Benjamin Edelman before the United States Senate Committee on Commerce, Science and Transportation June 11, 2008 Benjamin Edelman Baker Library 445 Assistant Professor 1 Soldier’s Field Rd Harvard Business School Boston, MA 02163 Chairman Inouye, Senator Pryor, Members of the Committee: My name is Benjamin Edelman. I am an assistant professor at the Harvard Business School, where my research focuses on the design of electronic marketplaces, including designing online marketplaces to assure safety, reliability, and efficiency. My full biography and publication list are at http://www.benedelman.org/bio and http://www.benedelman.org/publications . Today the committee considers the important problems of Internet spyware and deceptive adware – scourges that threaten the reliability, trustworthiness, and overall utility of many users’ Internet’s access. My bottom line: Despite some recent progress, spyware and adware continue to present substantial harms to Internet users and to the Internet as a whole. Many improper practices are already prohibited under existing statutes including the FTC Act, state consumer protection statutes, and state anti-spyware legislation. These statutes have given rise to a series of cases, both public and private, that have somewhat reined in the problems of spyware and adware. Tough Federal legislation could assist in bringing spyware and adware purveyors to justice, and in further deterring creation and support of this noxious software. But the bill at hand addresses only a portion of the problem, while in some ways reducing the effectiveness of existing efforts. By prohibiting specific individual practices, the bill invites perpetrators to comply with the letter of the law while continuing to harm and deceive consumers.
  • Influencer Marketing with Fake Followers

    Influencer Marketing with Fake Followers

    IIMB-WP N0. 580/2020 WORKING PAPER NO: 580 Influencer Marketing with Fake Followers Abhinav Anand Assistant Professor Finance and Accounting Indian Institute of Management Bangalore Bannerghatta Road, Bangalore – 5600 76 [email protected] Souvik Dutta Assistant Professor Social Sciences Indraprastha Institute of Information Technology Delhi - 110020 [email protected] Prithwiraj Mukherjee Assistant Professor Marketing Indian Institute of Management Bangalore Bannerghatta Road, Bangalore – 5600 76 [email protected] Year of Publication – January 2020 Influencer Marketing with Fake Followers Abhinav Anand∗ Souvik Duttay Prithwiraj Mukherjeez January 23, 2020 Abstract Influencer marketing is a practice where an advertiser pays a popular social me- dia user (influencer) in exchange for brand endorsement. We develop an analytical model in a contract-theoretic setting between an advertiser and an influencer who can inflate her publicly displayed follower count by buying fake followers. There is a non-strategic third party audit which successfully detects fraud with some prob- ability, leading to additional reputational costs for the influencer. We show that the optimal contract exhibits widespread faking which increases with the influencer’s true follower count (type). The advertiser exploits the influ- encer's fraud as a screening mechanism to identify her type. The audit accuracy and penalty from being exposed do not affect optimal faking levels but the in- creased cost imposed by the audit to the influencer gets passed on to the advertiser in terms of higher payments. Our paper illustrates why fake followers are rife in influencer marketing, and how digital marketers can exploit this phenomenon to their advantage. Keywords: Digital marketing, social media, influencer marketing, fake follow- ers, optimal control, contract theory.