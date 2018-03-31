Maladvertisements: The Consumer’s Nightmare

By Akpan Emaediong Ofonime

Introduction

Malvertising is the use of online advertising to spread malware.[1] Malvertising involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Online advertisements provide a solid platform for spreading malware because significant effort is put into them in order to attract users and sell or advertise the product.[2] Because advertising content can be inserted into high-profile and reputable websites, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, more safety precautions, or the like.[3] Malvertising is “attractive to attackers because they ‘can be easily spread across a large number of legitimate websites without directly compromising those websites’.[4]

Malvertising is a fairly new concept for spreading malware and is even harder to combat because it can work its way into a webpage and spread through a system unknowingly: “The interesting thing about infections delivered through malvertising is that it does not require any user action (like clicking) to compromise the system and it does not exploit any vulnerabilities on the website or the server it is hosted from. Infections delivered through malvertising silently travel through Web page advertisements.” It is able to expose millions of users to malware, even the most cautious, and is growing rapidly: “In 2012, it was estimated nearly 10 billion ad impressions were compromised by malvertising.”[5] Attackers have a very wide reach and are able to deliver these attacks easily through advertisement networks. Companies and websites have had difficulty diminishing the number of malvertising attacks, which “suggests that this attack vector isn’t likely to disappear soon.”

Websites or web publishers unknowingly incorporate a corrupted or malicious advertisement into their page. Computers can become infected pre-click and post click. It is a misconception that infection only happens when visitors begin clicking on a malvertisement. “Examples of pre-click malware include being embedded in main scripts of the page or drive-by-downloads. Malware can also auto-run, as in the case of auto redirects, where the user is automatically taken to a different site, which could be malicious. Malware can also be found in the delivery of an ad – where a clean ad that has no malware pre or post click (in its build and design) can still be infected whilst being called. [8] Malicious code can hide undetected and the user has no idea what’s coming their way. A post-click malvertisement example: “the user clicks on the ad to visit the advertised site, and instead is directly infected or redirected to a malicious site. These sites trick users into copying viruses or spyware usually disguised as Flash files, which are very popular on the web.” Redirection is often built into online advertising, and this spread of malware is often successful because users expect a redirection to happen when clicking on an advertisement. A redirection that is taking place only needs to be co-opted in order to infect a user’s computer.[6]

The Concept of Malvertisement

This is the malicious advertisement on the internet capable of infecting the viewer’s computer with malware. It is a hijacking technique of choice for organised crimes.[7] It can also an infected online advertisement. They are hosted on malicious as well as legitimate sites and social networks. Where the user clicks on a malware, it allows cyber criminals to spread malware easily. They target flaws in the delivery of advertisements and it includes third party ds to legitimate websites advertising servers or flaws in redirection of ads. The challenge of malvertisement has evolved into a more sophisticated outlook. It has defied the self-protect mechanism by consumers who do no click on suspicious links. Nowadays consumers are faced with the severe threat of malvertisements. These malads can infect the consumer’s computer without a single click. Using the same to steal the consumer’s identity, access bank account details and lock away sensitive documents and demand for ransom to release documents back to the consumer. Even where a single ad goes through as much as six (6) intermediaries before reaching websites it appears that these complexities has opened the door to be an easy way for cyber criminals to companies consumers.[8] Malvertising often involves the exploitation of trustworthy companies. Those attempting to spread malware place “clean” advertisements on trustworthy sites first in order to gain a good reputation, then they later “insert a virus or spyware in the code behind the ad, and after a mass virus infection is produced, they remove the virus”, thus infecting all visitors of the site during that time period. The identities of those responsible are often hard to trace, making it hard to prevent the attacks or stop them altogether, because the “ad network infrastructure is very complex with many linked connections between ads and click-through destinations.” Some malvertisements can infect a vulnerable computer even if the user never clicks on the (normal-appearing) advertisement.[9]

The first recorded sighting of malvertising was back in late 2007 / early 2008. This threat was based on a vulnerability in Adobe Flash (something that has continued to this day ) and affected a number of platforms including, MySpace , Excite and Rhapsody .The NY Times online magazine was found to be serving up an ad that was part of a larger click fraud scam that created a botnet network of malware infected computers, nicknamed the Bahama botnet, that then went onto be used to carry out click fraud on pay per click ads all over the web. The banner feed of The New York Times was hacked for the weekend of September 11 to 14, causing some readers to see advertisements telling them their systems were infected and trying to trick them into installing rogue security software on their computers. According to spokeswoman Diane McNulty, “the culprit approached the newspaper as a national advertiser and had provided apparently legitimate ads for a week”, and the ads were switched to the virus alert malvertisement afterwards. The New York Times then suspended third-party advertisements to address the problem, and even posted advice for readers regarding this issue on its technology blog. Spotify had a malvertising attack which used the Blackhole exploit kit – this was one of the first instances of a drive-by download, where a user doesn’t even have to click on an ad to become infected with malware. According to Bluecoat Security Systems Report 2011,[10] saw an increase of 240% in malvertising based malicious sites.

In 2013 a major malvertising campaign was waged against Yahoo.com , one of the largest ad platforms with monthly visits of 6.9 billion. The malware exploit was based on the commonly used web attack, Cross-site scripting (XSS), number three in the top ten web attacks types identified by the Open Web Application Security Project[16] (OWASP). The attack infected users machines with the ransomware, ‘Cryptowall’, a type of malware that extorts money from users by encrypting their data and placing a ransom of up to $1000 in bitcoins, to be paid in 7 days, to decrypt the data. To date, malvertising has continued unabated and is truly coming into its own. 2015 is the year that malvertising really hit the mobile user. McAfee has identified, in their Threat Report for February 2015 [19] that malvertising is growing quickly on mobile platforms and is expected to continue to grow rapidly, targeting mobile users. This year has seen attacks against, eBay, answers.com, talktalk.co.uk, wowhead.com and many others. It involved breaches of ad networks, including, DoubleClick and engage:BDR . There was also a report of possibly the first ‘political malvertising’ campaign by pro-Russian activists which was based on a botnet, which then forced users machines to visit bogus sites that generated ad revenue for the activists. The users also ended up at several pro-Russian propaganda videos. By visiting websites that are affected by malvertising, users are at risk of infection. There are many different methods used for injecting malicious advertisements or programs into webpages.Pop-up ads for deceptive downloads, such as fake anti-virus programs that install malicious software on the computer.[11]In-text or in-content advertising,Drive-by downloads.[12]Web widgets in which redirection can be co-opted into redirecting to a malicious site [13].Hidden iframes that spread malware into websites.[14] Content delivery networks exploited to share malware.[15] Malicious banners on websites.[16]

Forms of Malvertisement

The Concept of Phishing

The term Phishing[17] originates from the analogy that the fraudster uses e-mails as bait to fish for profitable personal information from an unsuspecting sea of Internet consumers.[18] Phishing is a special type of spam that is intended to trick a consumer into entering their personal or account information for the purpose of breaching their account and committing identity theft or fraud. Typically, a false e-mail message is delivered to the consumer. The e-mail appears to come from a legitimate source, for example eBay, their bank, government departments etc. The message may contain a legitimate corporation’s logo, and appear to be sent from the corporation’s e-mail address. A typical Phishing attack involves the Phisher who sends an e-mail that appears to originate from a legitimate business to a consumer. Phishers usually achieve this by using familiar trademarks, tradenames and other common corporate identifiers. The Internet Service Provider delivers the e-mail—which operates as bait—to an unsuspecting Internet user. The email typically creates a false sense of urgency by informing the user that there is a problem with his or her account. The e-mail then requests personal information from the user in order to validate the account. The recipient enters personal information or clicks on a phony website that mimics the appearance of the organization mentioned in the e-mail. The Phisher uses the information obtained from the consumer to commit identity theft and/or fraud. The message may ask the consumer to click a link in the message to update their account, or run a software program to upgrade their computer. Although the message looks legitimate, it is really trying to compel the consumer to submit their personal and confidential information, which will be used to steal their credentials. Normally they are asked to enter information such as name, date of birth, place of birth, social security number, mother’s maiden name, bank account number, and bank account PIN. Web sites that are frequently spoofed by phishers include PayPal, eBay, MSN, Yahoo, BestBuy, and America Online.[19]

Phishing is also an attempt to acquire information (and sometimes, indirectly, money) such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. According to Graydon phishing is used by identity thieves to acquire personal information (e.g., names, passwords, Social Security numbers and credit card details) by using fraudulent e-mail messages that appear to originate from a legitimate business.[20] Phishing e-mails may contain links to websites that are infected with malware. Phishing is typically carried out by e-mail spoofing or instant messaging, and it often directs users to enter details on a fake website which looks are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive consumers, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.[21]

Although the incidence of Phishing has increased recently, it has been around for several years. Recent Phishing scams differ from their earlier counterparts in their levels of sophistication. While older Phishing e-mails were easily identifiable due to spelling, grammatical, and typographical errors, today’s Phishing e-mails look legitimate. Moreover, current spyware technology allows Phishers to take advantage of software security flaws in order to avoid fraud and spam filters.[22] One form of spyware even allows the fraudulent URL to replace the actual URL in the consumer’s address bar by installing a fake address bar.[23] The fake address bar remains in the consumer’s computer and permits the Phisher to monitor the consumer’s Internet activity and access the information the consumer sends and receives.[24]

Generally, Phishing attacks are indiscriminate, relying on spam to target a large number of Internet users. However, over the past few years, Internet fraudsters have grown increasingly sophisticated and are using more targeted forms of Phishing to steal information from victims.[25] Spear phishing, pharming, and vishing are modern forms of deception with deep roots which consumers are exposed to. Spear Phishing targets a specific group of individuals.[26] Spear Phishers send e-mails that appear legitimate “to a specifically identified group of Internet users, such as certain users of a particular product or service, online account holders, employees or members of a particular company, government agency, organization, group, or social networking website.”[27] Because the email appears to come from a source that is trusted by the recipient, the request for personal information may appear more plausible and legitimate. Pharming, also called Domain Spoofing, is a more sophisticated form of Phishing that uses trojan horse programs that compromise the user’s computer or Domain Name System (“DNS”) server to reroute Internet users from the Internet site they desire to view to an illegitimate site that mimics the legitimate site.[28] The user then enters his or her personal information into the database of the illegitimate website. Pharming attacks are on the rise as savvy Internet users and companies have become more cautious about responding to Phishing attacks. Pharming is particularly dangerous because consumers are not aware of the attack; it does not require the consumer to follow a link to a fraudulent e-mail message. Instead, the attack occurs at the infrastructure level by compromising the user’s computer. Thus, even the most careful Internet users may become victims of Pharming.[29] In 2006, Vishing, also known as Voice Phishing, emerged as a twist on traditional Phishing.[30] Vishing is a technique that combines Internet and telephone resources to capture personal information In the typical Vishing scam, a consumer receives a fraudulent e-mail message purporting to be from a bank or an e-commerce site such as eBay. The message states that the consumer’s account is disabled and that the customer must contact the account source to fix the problem. A telephone number is provided and the consumer is told to call the number and provide personal account information.[31] Vishing is problematic because it takes advantage of inexpensive Internet technology such as Voice-over-Internet-Protocol, to emulate common bank-customer conduct in which consumers are encouraged to call their bank and authenticate information.[32]

Spam

Spams are unsolicited bulk e-mail messages or any message irrespective of content that is unwanted or unrequested by the recipient. Spam messages are mostly commercial advertising, although chain letters, political mailings and other forms of non-commercial mailings are often included under the same categorization. A large portion of spam has also been found to be comprised of ads for products of dubious quality and services of questionable legality. There are two types of spam: intentional and unintentional. Intentional spam comes from spammers who are soliciting products or attempting to commit fraud. Unintentional spam originates from computers that are infected with a virus or worm that activates e-mail distribution processes in the background. The virus or worm attempts to send bulk messages from the infected computer without the awareness of the computer owner.[33] Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately. While the most widely recognized form of spam is e-mail spam, the term is applied to similar abuses in other media: instant messaging spam, Usenet newsgroup spam, web search engine spam, spam in blogs, wiki spam, online classified ads spam, mobile phone messaging spam, internet forum spam, junk fax transmissions, social networking spam, television advertising and file sharing network spam.[34]

Spam can generally be categorized as unsolicited advertisements or cyber-attacks. Spam advertisements may be offering legitimate services but often offer the sale of cheap knock-off products.[35] Individuals marketing counterfeit goods may be charged under section 406 for forging trademarks and/or section 408 for passing off. Spam may also be designed as a cyber attack of which many techniques exist.[36] Phishing scams are designed to fraudulently induce the consumers into divulging information relating to a legitimate service. For example, spammers may attempt to obtain passwords from their victims by falsely claiming that the security of their victims account has been compromised, requiring them to divulge personal information to the spammers.[37] Spammers may be also be able to infect their victim’s computer with various forms of malware. One type of malware is called ransomware, which can lockout a victim from their data until a ransom is paid. The courts may interpret a spammer propagating ransomware as someone guilty of extortion under section 346 (1) and likely mischief as well under section 430 (1). Spyware is another type of malware which gathers personal information without the user’s consent, which may have broad privacy legal issues.

According to Myschyshyn spam is an unsolicited electronic message used to make money. Spam can be delivered using a variety of media, including emails, instant messages, and many others.[38] Spam may simply be an unwanted advertisement or range in a variety of scamming efforts. In 2012, experts estimated spam costs in the United States at US$20 billion annually.[39] The United States has a federal anti-spam legislation called the CAN-SPAM Act enacted in 2003 with criminal penalties that have ensured the conviction of violators.[40] However, same cannot be said of Nigeria as the major spammers are telecommunications companies bombarding consumers with unsolicited adverts. The Nigerian Law appears to be have been interpreted to solely prohibit the use of spam for criminal acts, whereas this is not so.

In 2014 Canada’s Anti-Spam Legislation (CASL, formerly bill C-28) came into force.[41] CASL regulates commercial electronic advertising and provides a more secure Internet by penalizing cyber-attackers.[42] CASL has been used to grant a warrant to take down a Toronto-based server that was the source of malware threatening computer security.[43] Critics claim that CASL may be too harsh on business marketers who, under the act, require strict consent to deliver electronic advertisements to consumers.[44] Nevertheless, CASL is a logical step forward in an ever growing technological era. Computer science researchers developed a method to follow payments made to spammers.[45] They found that complex networks of cybercriminals exist that ensure the payment is received from the individual being spammed.[46] Notably, the researchers discovered that businesses rely on a small number of foreign banks to complete payment transactions which they claim may be an effective target to intervene spam schemes.[47]

Spyware

This is a type of malware (malicious software) installed on computers mostly via online advertisers that collects information about users without their knowledge. The presence of spyware is typically hidden from the user and can be difficult to detect. Some spyware, such as keyloggers, may be installed by the owner of a shared, corporate, or public computer intentionally to monitor users. While the term spyware suggests software that monitors a user’s computing, the functions of spyware can extend beyond simple monitoring. Spyware can collect almost any type of data, including personal information like internet surfing habits, user logins, and bank or credit account information. Spyware can also interfere with the consumer’s control of a computer by installing additional software or redirecting Web browsers. Some spyware can change computer settings, which can result in slow internet connection speeds, unauthorized changes in browser settings, or changes to software settings.[48]

Spoofing

This is the forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source. Spoofing is often used by spammers and can be accomplished by changing your “FROM” e-mail address. E-mail spoofing may occur in different forms, but all have a similar result: a user receives email that appears to have originated from one source when it actually was sent from another source. E-mail spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitive information, such as a password. E-mail spammers often use spoofing in an attempt to get recipients to open, and possibly even respond to, their solicitations. To send spoofed e-mail, senders insert commands in headers that will alter message information. It is possible to send a message that appears to be from anyone, anywhere, saying whatever the sender wants it to say. Thus, someone could send spoofed e-mail that appears to be from you with a message that you didn’t write. A number of measures to address spoofing are available including: SPF , Sender ID , DKIM , and DMARC . Although their use is increasing, it is likely that almost half of all domains still do not have such measures in place. However, as of 2013, 60% of consumer mailboxes worldwide use DMARC to protect themselves against direct domain spoofing and only 8.6% of emails have no form of domain authentication. Spam and phishing emails typically use such spoofing to mislead the recipient about the origin of the message.[49]

Pharming

Pharming is a hacker’s attack intended to redirect a website’s traffic to another, bogus site. The term “pharming” is a new term based on the words “farming” and “phishing”. Phishing is a type of social-engineering attack to obtain access credentials, such as user names and passwords. In recent years, both pharming and phishing have been used to gain information for online identity theft. Pharming has become of major concern to businesses hosting e-commerce and online banking websites. Sophisticated measures known as anti-pharming are required to protect against this serious threat. Anti-virus software and spyware removal software cannot protect the consumer against pharming.[50]

The Harmful Effect of Malvertisement and The Impact On Consumers

Malvertisement have an adverse effect on consumers, companies, and the Internet as a whole. On a consumer level, Malvertisements like Phishing leads to direct financial loss. Phishers use an individual user’s identity to withdraw money from the individual’s account or open a new account under the individual’s name. Gartner is of the view that the rise in Malvertisements in the past few years, will likely increase consumers losses annually. [51]

Spyware another form of malvertisement can collect almost any type of data, including personal information like internet surfing habits, user logins, and bank or credit account information. Spyware can also interfere with the consumer’s control of a computer by installing additional software or redirecting Web browsers. The worrisome reality of this is that it can be used to cause aggressive foreign attacks with the use of drones, submarines which are all remotely controlled. In the same way it can cause injury to passengers aboard a flight, or motorist by either taking control of the auto piloting system in the former and taking control of traffic lights in the latter. Some spyware can change computer settings, which can result in slow internet connection speeds, unauthorized changes in browser settings, or changes to software settings.[52] Malvertisements makes it possible to send a message that appears to be from anyone, anywhere, saying whatever the sender wants it to say. Thus, someone could send spoofed e-mail that appears to be from a consumer with a message that the consumer didn’t write, this can cause the consumer major losses to either finance or goodwill. This is a form of misrepresentative and false advertising. Pharming is a hacker’s attack intended to redirect a website’s traffic to another, bogus site. Pharming which has become of major concern to businesses hosting e-commerce and online banking websites, results in financial loss as the attacker lures consumers away from the original site generating traffic to its own site and making money. Consumers are discouraged from using these websites as the redirected sites may also inflict their computers with malware, causing the brand to lose its goodwill. Spam which is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately[53] affects the consumer’s uninterrupted use of the computers (mobile phone). It constitutes nuisance as they are usually unsolicited and lure the consumer into making purchase decisions they ordinarily would not have made. They are also a good source of false advertising as they do not fully state the terms and conditions which they consumer must be aware of before they execute the contract.

Despite the adverse effects that Malvertisement has on individual Internet users (consumers) companies are the main victims of Malvertisement as they bear the majority of the direct financial loss that results from these attacks. In addition, companies targeted by Malvertisement also suffer harm to their goodwill and brand reputation. The criminals’ abuse of the brand’s reputation has immeasurable effects on marketing campaigns and customer confidence. The use of the targeted companies’ trademarked images and good names can also cause residual problems for consumers who may continue to associate the negative effects of the scam with the company. Consumers may lose confidence in the company and wish to discontinue doing business there–a situation analogous to a reluctance to keep putting money in a bank that continues to be robbed. Malvertisement also have a negative effect on the growth of e-commerce generally.[54] A 2006 consumer survey by Informa Research Services indicates that Malvertisement in varying forms have led to a loss in consumer confidence in the Internet marketplace.[55] Among several findings, the survey shows that 55% of consumers completely or strongly agreed with the statement that “Internet-based financial transactions are safe and secure,” representing a 15% decrease from 2003.[56] The survey indicated that 67% of online consumers are very concerned about identity theft and fraud on the Internet, and only 40% believed that e-based financial transactions are more secure than telephone banking, down from 47% in 2003. Malvertisement erodes the public trust in the Internet because it leads to uncertainty in the integrity of commercial and financial websites, and even the Internet’s addressing system. Thus, consumers are less likely to use the Internet for business transactions.[57]

Legislative Frameworks

Nigeria

The Cyber Crimes (Prohibition, Prevention Act 2015) is the legislative framework for malvertisement in Nigeria enforced by the Economic and Financial Crimes Commission (EFFC). There is an express mention of the term phishing which is the criminal and fraudulent process of attempting to acquire sensitive information e.g username, password and credit card details by masquerading as a trust worthy entity in an electronic communication through e-mails or instant messaging either inform of an email or instant messaging what appears to be by your bank asking a user to change his or her passwords or reveal his or her identity so that such information can be used to defraud the consumer.[58] This act is criminalised with a fine of 1million or an imprisonment term or both. The act further prohibits the deliberate and malicious spread of computer viruses or any malware thereby causing damage to critical information in public, private or financial institutions computer 1million or both.[59] This provision appears to give leeway to attacks that do not tamper/ cause damage to critical public information whether public or private. It also appears to classify information into critical and non-critical with no parameters for such classification. Consequently the attack on a consumer’s computer with ransom ware that simply locks away the files demanding for a ransom in return for the passcode to the files is not a situation envisaged by the Nigerian Cyber Crimes Act. Spamming is defined by the Act[60] as an abuse of electronic messages in systems to indiscriminately send unsolicited bulk messages to individuals and corporate organisations. From the foregoing it is clear that indiscriminate use of electronic messaging by telecomminuncations company in Nigeria amounts to spam. The reason being that they are unsolicited and it is an abuse of the contract that exist between the telecom operator and the consumers. The Nigerian Communications Commission (NCC) has adopted an opt-out model like most countries howbeit failing to recognise that these acts are prohibited and laced with criminal sanctions. It is not enough that the NCC has provided a code for consumers to opt-out of these spams;[61] this single act appears to be a pointer to the fact that the criminalisation of spam refers to that which involves only criminal activities. The Nigerian consumer can be said to be an easy target with its laws apparently short on technological developments.

New Zealand

The Crimes Act Amended (2003) provides for malvertisement in New Zealand though without an express mention of malvertisement or its forms. It prohibits the direct or indirect interference with a computer system and with varying degrees of punishment it goes on to prohibit other forms of malvertisement. Section 249 (1) (a)[62] prohibits the obtaining of property, privilege, services, pecuniary advantage, benefit, valuable consideration which causes loss to any other person. In the same vein the direct or indirect access to any computer system with intent, dishonestly or by deception without claim of right[63] to obtain any property, privilege, service pecuniary advantage, benefit, valuable consideration[64] or causes loss to any other person[65] Damaging or interfering with computer system intentionally, recklessly thereby destroying, damaging or altering any computer system knowing that danger to life is likely to result is punished with a 10 year imprisonment term.[66] This provision takes into cognisance the life threatening impact of malvertisement, which can manifest in the spread of malware thereby alter traffic lights, health facilities, power grid systems and several others. The Act[67] prohibits the direct or indirect access to any computer system with intent, dishonestly or by deception without authorisation knowing that he or she is not authorised or being reckless whether authorised or not causes any computer system to fail, deny access to authorised persons. This provision can be said to prohibit the use of ransom ware which operates to lock consumers out of their files demanding a ransom in return for the lock codes. Likewise the Act prohibits the sale of malware and can be interpreted to mean that malwares cannot be advertised.[68] This is a novel inclusion as most legislation does not expressly prohibit the advertisement of malads. Malvertisements are further nipped in the bud through the prohibition of direct or indirect access to a computer system which damages, deletes, modifies or otherwise interferes with or tampers with any data or software therein.[69]

Canada

The Canadian Anti-spam legislation (CASL) 2014 requires individuals or organisations that send commercial electronic messages (CEM)[70] to obtain the express consent for all Canadian recipients. It was created to cut down on spam and reduce the frequency of phishing, viruses and identity theft and other cybercrimes. It applies to all commercial messages transmitted through email, social media, voice mail, text and internet messages.[71] Canada uses the opt-in model as opposed to other countries. That is to say consumers must elect to receive messages. This consent must be obtained orally, in writing, and the burden proof on sender. The Canadian legislation is referred to as the toughest anti-spam legislation in the world. Private individuals who are in contravention of the legislation are liable to pay one million Canadian dollars and Ten million for its business organisation counterpart. The regulatory agency charged with the enforcement of the CASL is the Canadian radio television and telecommunication commission, the Canadian competition Bureau and the Office of the Privacy Commissioner of Canada.[72] The CASL is not applicable to charity organisations, political content, personal and non-business relationship. The Canadian CASL in the opinion of this research work is the most consumer-vulnerability oriented legislation. It leaves no stone un-turn in protecting the consumer first before commercial relations.

Phishing scam is classified as fraud under section 380 of the Canadian Criminal Code. Depending on the type of information gained by a phishing scam, violators may be charged under the Code[73] for identity theft and identity fraud. A spam in the form of advance fee scam is regarded as false pretence and is prohibited by the Code.[74] They usually promise a consumer something too good to be true for a small fee in advance. For example, spammers may post advertisements offering a space for rent at an outstanding rate in exchange for a deposit.[75]The deposit never actually applied to anything and is simply stolen. The propagation of ransomware is likened to the crime of extortion[76] mischief.[77] In R v Charania, the accused was convicted of mischief in relation to computer data[78] and unauthorized use of a computer[79] by interfering with his previous employer’s data through unauthorized use of a company owned email address.[80] This indicates that the Canadian courts will generally treat offences committed on the Internet as offences committed in real public spaces.

United States of America

Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, otherwise known as the CAN-SPAM Act, established the first nationwide standard for commercial e-mail and requires the Federal Trade Commission to enforce its provisions.[81] Since the CAN-SPAM Act specifically prohibits the use of deceptive subject lines and fake headers in e-mail messages, it can be used to target Malvertisers.[82] The U.S. Safe Web Act of 2006[83] The Act[84] enhances the Federal Trade Commission’s ability to protect consumers from Phishing and other forms of malads by improving its ability to share information and to conduct joint investigative efforts with foreign law enforcement agencies. It also enables the FTC to obtain monetary consumer redress in cases involving spyware, spam, and Internet

fraud.[85]

The Internet Spyware Prevention Act of 2007 (“I-SPY Prevention Act”), targets maladvertisers by criminalising the collection of personal information through fraudulent means. Specifically, it prohibits intentionally accessing a prohibited computer without authorization, or exceeding authorized access by causing a computer program or code to be copied onto the protected computer, and intentionally using the program or code in furtherance of another federal criminal offense; or to obtain or transmit personal information with the intent to defraud or injure a person or cause damage to a protected computer; or to impair the security protection of that computer.[86]

Council of Europe

The Council of Europe’s Convention on Cybercrime (“Convention”) is the first and only international treaty that deals explicitly with cybercrime.[87] Its main goal is to harmonize world-wide laws relating to cybercrime.[88] This is especially important since cybercrime is often international in its nature. However, since only nineteen out of a total possible number of forty-three countries have ratified the convention, its effectiveness in that regard is limited. The Convention requires participating countries to adopt laws that address “computer intrusion, computer-facilitated fraud, child pornography and copyright infringement” as well as other forms of cybercrime.[89] The Convention is controversial because it lacks a dual criminality requirement.[90]

Conclusion

Malvertisement is one of the fastest growing methods of; generating nuisance, causing identity theft and threat to consumers on the Internet today. Most Internet service providers have an acceptable use policy that contractually prohibits a user from engaging in the distribution of a large array of malvertisement.[91] Despite the extensive criminal sanctions and other prohibitions which are in place to eliminate malvertisement they continue to spread.[92] The likely answer to this issue is that cybercriminals have a plethora of methods to assist in keeping their identity anonymous on the Internet.[93] Furthermore, cybercriminal organizations are not well understood amongst lay people. The availability of decentralized currency such as Bitcoin, Steem and others also poses a problem of tracing cyber criminals who pose threats to the consumers is problem. While it may never be completely eradicated, its threat and its effect on consumers can be greatly reduced. In order to combat Malvertisement in a comprehensive manner, resources need to be focused on developing methods of attack that focus on consumer education, private sector cooperation, and legislative enforcement, and to increase cooperation between these three methods. The private sector and consumer protection groups have not devoted increasing resources to consumer education and other anti-malad measures. There is a need for more collaboration in order to develop more comprehensive solutions that will effectively reduce Malvertisement and its variants. Malvertisement is a complex issue and will likely require future legal practitioners and other experts to develop novel strategies to combat this multi-billion issue.

Recommendations

Consumers should update their browser regularly The use of updated antivirus and anti-malware soft-wares must be encouraged Consumers should adjust browser settings privacy settings from automatic acceptance of cookies Enactment of substantive laws to criminalise malevolent activities on the internet Capacity building –awareness etc. Establishment of institutional framework for coordinated cyber security enforcement agencies Governments should target bottlenecks such as the handful of foreign banks that cybercriminals rely upon to receive payment for their scams, rather than making criminal sanctions even stronger.

About the Author

Emaediong Akpan is one of Nigeria’s leading voice against domestic violence, false advertisements, a born human rights activist, she is currently doing her LLM in consumer protection. She has written numerous comments piece for Trendiee and many other news media.

Some useful links:

[1] W Salusky, ‘Malvertising’ www.SANS ISC.com Last accessed 10th March 2018.

[2] A Sood and R Enbody, “Malvertising – Exploiting Web Advertising” . (2011) Computer Fraud and Security: Vol11(16).

[3] B Johnson . ‘Internet companies face up to ‘malvertising’ threat’ . (2009) The Guardian. Retrieved 11th March 2018.

[4] L Zeltser, ‘Malvertising: Some Examples of Malicious Ad Campaigns’. Lenny Zeltser on Information Security. Retrieved 2 March 2018.

[5] Online Trust Alliance.

[6] W Salusky “Malvertising” www.SANS ISC.com Last accessed 10th March 2018.

[7] Blue Coat System Inc. www.searchsecuritytechtarget.com accessed 1st March 2018.

[8] www.trendmic.com accessed 1st March 2018.

[9] R Siciliano, Robert “Business Identity Theft; Big Brand, Big Problems” . Retrieved

10 March 2018.

[10] https://www.bluecoat.com/sites/default/files/editor_files/BC_2012_Security_Report-v1i-optimized.pdf Retrieved 10 March 2018.

[11] Online Trust Alliance

[12] Online Trust Alliance

[13] A Sood and R Enbody, “Malvertising – Exploiting Web Advertising” . (2011) Computer Fraud and Security: Vol11(16).

[14] A Sood and R Enbody, “Malvertising – Exploiting Web Advertising” . (2011) Computer Fraud and Security: Vol11(16).

[15] A Sood and R Enbody, “Malvertising – Exploiting Web Advertising” . (2011) Computer Fraud and Security: Vol11(16).

[16] A Sood and R Enbody, “Malvertising – Exploiting Web Advertising” . (2011) Computer Fraud and Security: Vol11(16).

[17]Phishing is spelled with “ph” instead of “f” to allude to “Phone Phreaking,” a form of hacking popular in the 1970s that “used electronics to hack into telephones and get free calls.” Microsoft, Pharming: Is Your Trusted Web Site a Clever Fake?, Jan. 3, 2007, http://www.microsoft.com/protect/yourself/phishing/pharming.mspx.

[18] S M Graydon, Phishing and Pharming:The New Evolution of Identity Theft, (2006) Consumer Finanace. L.Q. Report Vol 60 p. 335, 336 (2006).

[19] The Big Three Email Nuisances: Spam, Phishing and Spoofing https://www.adaware.com/blog/the-big-three-email-nuisances-spam-phishing-and-spoofing accessed 12th March 2018

[20]S M Graydon, Phishing and Pharming:The New Evolution of Identity Theft, (2006) Consumer Finance. L.Q. Report Vol (60) p.335, 336.

[21] What Is Malware, Spyware, Spam, Phishing, Pharming, etc.? https://www.totalbank.com/what-is-malware–spyware) accessed 20th February 2018

[22]J Lynch, ‘Identity Theft in CyberSpace: Crime Control Methods and Their Effectiveness in Combating Phishing Attacks’ (2005) Berkeley Tech. Law .Journal . p.259, 269 .

[23] National Consumers League, ‘A Call for Action’ (2006), Vol. 5 http://www.nclnet.org/news/2006/Final%20NCL%20Phishing%20Report.pdf. Accessed 1st March 2018.

See also J Lynch, ‘Identity Theft in CyberSpace: Crime Control Methods and Their Effectiveness in Combating Phishing Attacks’ (2005) Berkeley Tech. Law .Journal . p.259, 269

[24] M Broersma, Barkleys Scam Email Exploits New IE Flaw, ZDNet UK, Jan. 12, 2004, Reetrieved from http://news.zdnet.co.uk/security/0,1000000189,39119033,00.htm. Accessed 3rd March 2018.

“Customers of Barclays and other UK banks have been targeted by fraud emails that exploit a recently discovered vulnerability in Internet Explorer allowing attackers to disguise Web addresses, according to security experts. The Barclays scam email appears to come from the bank, and directs customers to a site posing as Barclays’ online banking Web site, ibank.barclays.co.uk. The scam site then asks people to enter their banking details. Other scam emails appearing during the weekend also used this technique, known as ‘phishing’, along with the same IE bug. The organisations targeted include Citibank, Lloyds and PayPal.”

[26] Microsoft, Spear Phishing: Highly Targeted Scams, Sept. 18, 2006, Retrieved from http://www.microsoft.com/protect/yourself/phishing/spear.mspx. Accessed 3rd March 2018.

[27]Bi-national Working Group On Cross-Border Mass Marketing Fraud, Report On Phishing 8 (2006), http://www.usdoj.gov/opa/report_on_phishing.pdf. Accessed 13rd March 2018.

[28]P S McLean & M M Young, Phishing and Pharming and Trojans–Oh My!, (2006)UTAH B.J. Vol16 (28) p. 32

[29] Graydon

[30] H Weisbaum, ‘Vishing’ Scams Use Your Telephone to Hook You, MSNBC.COM, Aug. 1, 2006, http://www.msnbc.msn.com/id/14138614. Accessed 3rd March 2018.

[31] Weisbaum.

[32] BINATIONAL WORKING GROUP ON CROSS-BORDER MASS MKTG. FRAUD, supra note 9, at 10.

[33] The Big Three Email Nuisances: Spam, Phishing and Spoofing https://www.adaware.com/blog/the-big-three-email-nuisances-spam-phishing-and-spoofing accessed 12th March 2018.

[34] What Is Malware, Spyware, Spam, Phishing, Pharming, etc.? https://www.totalbank.com/what-is-malware–spyware) accessed 20th February 2018

[35] https://securelist.com/threats/types-of-spam/ Accessed 26th February 2018.

[36] https://www.csoonline.com/article/2616316/data-protection/the-5-types-of-cyber-attack-youre-most-likely-to-face.html Accessed 26th February 2018.

[37]http://fortune.com/2017/07/13/email-security-phishing/

[38] M Myschyshyn Canadian Spam Law- A Student’s Perspective https://www.robsoncrim.com/single-post/2018/02/01/Canadian-Spam-Law–A-Student’s-Perspective?lightbox=dataItem-ird1gm67 Accessed 26th February 2018.

[39] http://pubs.aeaweb.org/doi/pdfplus/10.1257/jep.26.3.87 Accessed 26th February 2018.

[40] https://www.law.cornell.edu/uscode/text/15/chapter-103 ; https://ipfs.io/ipfs/QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/History_of_email_spam.html Accessed 26th February 2018.

[41] http://laws-lois.justice.gc.ca/PDF/E-1.6.pdf Accessed 26th February 2018.

[42] https://lop.parl.ca/Content/LOP/LegislativeSummaries/40/3/c28-e.pdf Accessed 23rd February 2018.

[43] http://www.newswire.ca/news-releases/crtc-serves-its-first-ever-warrant-under-casl-in-botnet-takedown-560496941.html Accessed 26th February 2018.

[44] http://www.chamber.ca/resources/casl/ Accessed 26th February 2018.

[45] https://cseweb.ucsd.edu/~savage/papers/Oakland11.pdf Accessed 26th February 2018.

[46] https://www.nature.com/news/how-to-hack-the-hackers-the-human-side-of-cybercrime-1.19872 Accessed 26th February 2018.

[47] http://cseweb.ucsd.edu/~savage/papers/LoginInterview11.pdf Accessed 26th February 2018.

[48] What Is Malware, Spyware, Spam, Phishing, Pharming, etc.? https://www.totalbank.com/what-is-malware–spyware) accessed 20th February 2018

[49] The Big Three Email Nuisances: Spam, Phishing and Spoofing https://www.adaware.com/blog/the-big-three-email-nuisances-spam-phishing-and-spoofing accessed 12th March 2018.

[50] What Is Malware, Spyware, Spam, Phishing, Pharming, etc.? https://www.totalbank.com/what-is-malware–spyware) accessed 20th February 2018

[51]Gartner is an information technology research and advisory company. Gartner Survey Shows Phishing Attacks Escalated in 2007; more than $3 Billion Lost to These Attacks (Dec. 17, 2007), http://www.gartner.com/it/page.jsp?id=565125. Accessed 26th February 2018.

[52] What Is Malware, Spyware, Spam, Phishing, Pharming, etc.? https://www.totalbank.com/what-is-malware–spyware) accessed 20th February 2018

[53] What Is Malware, Spyware, Spam, Phishing, Pharming, etc.? https://www.totalbank.com/what-is-malware–spyware) accessed 20th February 2018

[54] R Almahroos Phishing For The Answer: Recent Developments In Combating Phishing A Journal Of Law And Policy (Vol. 3:3)

[55] http://www.theorator.com/bills109/hr744.html. Accessed 26th February 2018.

[56] R Almahroos Phishing For The Answer: Recent Developments In Combating Phishing A Journal Of Law And Policy (Vol. 3:3).

[57] R Almahroos Phishing For The Answer: Recent Developments In Combating Phishing A Journal Of Law And Policy (Vol. 3:3).

[58] Section 58 Cyber Crimes (Prohibition, Prevention Act 2015)

[59] 32 (3)

[60] Section 58 Cyber Crimes (Prohibition, Prevention Act 2015)

[61] https://m.facebook.com/story.php?story_1681615211919717&id=1610667877307908 Accessed 12th March 2018. The NCC at the 39th Kaduna International Trade fair the Executive chairman of NCC through Amina Shehu spoke on the DO-NOT-DISTURB 2442CODE.

[62] The Crimes Act Amended (2003) Part 10 Section 249 (1) (a).

[63] The Crimes Act Amended (2003) Part 10 Section 249 (2) (a).

[64] The Crimes Act Amended (2003) Part 10 Section 249 (2) (b).

[65] The Crimes Act Amended (2003) Part 10 Section 249 (2) (c).

[66] The Crimes Act Amended (2003) Part 10 Section 250 (1).

[67] The Crimes Act Amended (2003) Part 10 Section 249 (2) (b).

[68] The Crimes Act Amended (2003) Part 10 Section 250 (1) (2)

[69] The Crimes Act Amended (2003) Part 10 Section 250 (2) (a)

[70] CEM- is a business related message sent by any means of telecom including e-mail, text, sound, or image messages

[71] M Rouse and I Wigmore, ‘Canadian Anti-Spam Law’ Retrieved from www.whatisstechtaget.com Accessed 10th March 2018.

[72] Ibid.

[73] Sections 402.1, 402.2, and 403 of the Canadian Criminal Code.

[74] section 362 (1) (c) (ii)

[75] http://articles.latimes.com/2012/mar/25/business/la-fi-lew-20120325 ; https://web.archive.org/web/20120705075209/http://www.fraudguides.com/internet-craigslist-scams.asp

[76] Canadian Criminal Code section 346 (1)

[77] Canadian Criminal Code section 430

[78] Canadian Criminal Code section 430 (1.1)

[79] [79] Canadian Criminal Code section 342(1)(1)

[80] R v Charania, 2012 ONCJ 637, 2012 CarswellOnt 13265.

[81] Spamlaws.com, Enacted Legislation: CAN-SPAM Act of 2003,

http://www.spamlaws.com/federal/summ108.shtml Last Accessed 12th March 2018.

[82]The first person to be convicted under the provisions of the CAN-SPAM Act was Jeffrey Brett Goodin, who in January 2007: was found guilty of sending thousands of e-mails to America Online users under the guise of messages from AOL’s billing department that prompted customers to send personal and credit card information. He then used the information to make unauthorized purchases. See also Brian Prince, Man Found Guilty of Targeting AOL Customers in Phishing Scam, PC MAG., Jan. 18, 2007, http://www.pcmag.com/article2/0,2704,2085183,00.asp. Last Accessed 12th March 2018.

[83]Melissa Campanelli, US Web Safe Act Signed into Law, DMNEWS, Jan. 3, 2007,

http://www.dmnews.com/US-Safe-Web-Act-signed-into-law/article/94010/. Last Accessed 12th March 2018.

[84] The Undertaking Spam, Spyware and Fraud Enforcement with Enforcers Beyond Borders Act, known as the U.S. SAFE WEB Act, was signed into law on December 22, 2006.

[85] Posting of Charlene Brownlee to Privacy and Security Law Blog, http://www.privsecblog.com/archives/spam-us-safe-web-act-of-2006.html Last Accessed 12th March 2018.

[86] Press Release, Senate Comm. on Commerce, Sci. & Transp., Congress Approves U.S.

SAFE WEB Act (Dec. 9, 2006), available at

http://commerce.senate.gov/public/index.cfm?FuseAction=PressReleases.Detail&PressRelease_id=248704&Month=12&Year=2006. Last Accessed 12th March 2018.

[87] Cyber Sec. Indus. Alliance, Ratifying The European Convention On Cybercrime 1 (2005), http://www.csialliance.org/publications/csia_whitepapers/CSIA_CoE_Convention.PDF Last Accessed 12th March 2018.

[88] Council of Europe, Summary of the Convention on Cybercrime,http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm Last Accessed 12th March 2018.

[89] ibid

[90]Electronic Privacy Information Center, The Council of Europe’s Convention on Cybercrime, http://www.epic.org/privacy/intl/ccc.html. 614 I/S, states that 100 billion spam emails were sent in 2013

[91] http://www.frontiernetworks.ca/aup/ Last Accessed 12th March 2018.

[92] https://www.esecurityplanet.com/network-security/almost-100-billion-spam-e-mails-sent-daily-in-q1-2013.html Last Accessed 12th March 2018.

[93]https://www.csoonline.com/article/2975193/data-protection/9-steps-completely-anonymous-online.html Last Accessed 12th March 2018.

Do you have something awesome to share with the world? Click here to share

Do you ever have any question about anything you wish to ask and get answer? Click here to ask

Follow us on twitter @NigeriaTodayNG

Also, Like us on facebook

Share this: Facebook

Twitter

WhatsApp

Google

Tumblr

LinkedIn

Skype

Pocket

Reddit

Print

Pinterest

