www.humansecurity.com
Open in
urlscan Pro
2606:2c40::c73c:671d
Public Scan
URL:
https://www.humansecurity.com/learn/blog/the-partys-over-humans-satori-threat-intelligence-and-research-team-cleans-up-konfety...
Submission: On July 17 via api from TR — Scanned from DE
Submission: On July 17 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
GET https://www.humansecurity.com/hs-search-results
<form class="menu-search" action="https://www.humansecurity.com/hs-search-results" method="GET">
<input name="term" placeholder="Search">
<input type="hidden" name="type" value="SITE_PAGE">
<input type="hidden" name="type" value="BLOG_POST">
<input type="hidden" name="type" value="LISTING_PAGE">
<button></button>
</form>Text Content
This website stores cookies on your computer. These cookies are used to collect
information about how you interact with our website, customize your browsing
experience, and for analytics and metrics about our visitors both on this
website and other media. To find out more, see our Privacy Policy.
Accept Decline
X
Just announced: HUMAN’s Satori Threat Intelligence and Research team has
disrupted a cunning mobile advertising fraud campaign dubbed Konfety.
Learn More
* Platform
* * Human Defense Platform
Comprehensive detection, decisioning, and protection for today’s
customer journey
Comprehensive detection, decisioning, and protection for today’s
customer journey
* Platform Packages
Advertising
Comprehensive, purpose-built solutions for ad tech platforms and digital
publishers.
Comprehensive, purpose-built solutions for ad tech platforms and digital
publishers.
* Applications
Cybersecurity solutions to protect web and mobile applications from
fraud and abuse.
Cybersecurity solutions to protect web and mobile applications from
fraud and abuse.
* Account
Stop fraudsters from exploiting your valuable online accounts on apps
and websites.
Stop fraudsters from exploiting your valuable online accounts on apps
and websites.
* * Ad Fraud Sensor
* Scraping
* PCI DSS Compliance
* Ad Fraud Defense
* Data Contamination
* Account Takeover
* Malvertising
* Transaction Abuse
* Fake Accounts
* Ad Quality
* Client-Side
* Compromised Accounts
*
* * Ad Platforms
* Financial Services
* Healthcare
* Publishers
* Retail & E-Commerce
* Saas Platforms
* Streaming & Gaming
* Travel & Hospitality
* Learn
* * Blog
HUMAN Insight and Research from our team
HUMAN Insight and Research from our team
* Case Studies
See what customers have to say about HUMAN
See what customers have to say about HUMAN
* Webinars
Videos and content about HUMAN expertise and industry intelligence
Videos and content about HUMAN expertise and industry intelligence
* * Resource Center
Blogs, whitepapers, research, videos, articles—all in one place
Blogs, whitepapers, research, videos, articles—all in one place
* Documentation
Details about HUMAN's products and interfaces.
Details about HUMAN's products and interfaces.
* Security
HUMAN's data security & privacy FAQ
HUMAN's data security & privacy FAQ
* * * Satori Threat Intelligence Research Team
HUMAN’s Satori Threat Intelligence and Research Team proactively
uncovers and disrupts bot-driven threats.
HUMAN’s Satori Threat Intelligence and Research Team proactively
uncovers and disrupts bot-driven threats.
* Bot Insights
Get the insights you need to protect your business from bots
Get the insights you need to protect your business from bots
* * Account Takeover
* Ad Fraud
* Application Security
* Blocking Bots
* Bots
* Bot Detection
* Brute Force Attack
* Captcha
* Carding
* Credential Stuffing
* E-commerce Security
* Fake Account Creation
* PCI DSS Compliance
* PII Harvesting
* Shadow Code
* Supply Chain Attack
* Web Scraping
* Company
* * About
HUMAN safeguards against bot attacks and fraud
HUMAN safeguards against bot attacks and fraud
* News
HUMAN in the News
HUMAN in the News
* Careers
Find your next career move with HUMAN
Find your next career move with HUMAN
* * Leadership
Meet the elite bot threat hunters dedicated to making the internet a
safer place
Meet the elite bot threat hunters dedicated to making the internet a
safer place
* Board of Directors
Meet the minds behind HUMAN’s mission
Meet the minds behind HUMAN’s mission
* The Human Collective
Collective protection to fight ad-based fraud
Collective protection to fight ad-based fraud
* * Satori Threat Intelligence Research Team
HUMAN’S Satori Threat Intelligence and Research Team proactively uncover
and disrupt bot-driven threats
HUMAN’S Satori Threat Intelligence and Research Team proactively uncover
and disrupt bot-driven threats
* Partners
* * The Human Collective
Collective protection to fight ad-based fraud
Collective protection to fight ad-based fraud
* Partnerships and Integrations
HUMAN integrates with several technology partners, ensuring bot
mitigation success in any environment.
HUMAN integrates with several technology partners, ensuring bot
mitigation success in any environment.
* Resellers
Explore HUMAN's technology through channel partners, combining bot
mitigation and other security solutions.
Explore HUMAN's technology through channel partners, combining bot
mitigation and other security solutions.
* * Become a Partner
HUMAN collaborates with the world's leading technology companies
HUMAN collaborates with the world's leading technology companies
* Partner Portal
Log into the HUMAN Partner Portal for collateral, documentation, and
other partnership needs.
Log into the HUMAN Partner Portal for collateral, documentation, and
other partnership needs.
* Request a Demo
* Platform
* * Human Defense Platform
Comprehensive detection, decisioning, and protection for today’s
customer journey
Comprehensive detection, decisioning, and protection for today’s
customer journey
* Platform Packages
Advertising
Comprehensive, purpose-built solutions for ad tech platforms and digital
publishers.
Comprehensive, purpose-built solutions for ad tech platforms and digital
publishers.
* Applications
Cybersecurity solutions to protect web and mobile applications from
fraud and abuse.
Cybersecurity solutions to protect web and mobile applications from
fraud and abuse.
* Account
Stop fraudsters from exploiting your valuable online accounts on apps
and websites.
Stop fraudsters from exploiting your valuable online accounts on apps
and websites.
* * Ad Fraud Sensor
* Scraping
* PCI DSS Compliance
* Ad Fraud Defense
* Data Contamination
* Account Takeover
* Malvertising
* Transaction Abuse
* Fake Accounts
* Ad Quality
* Client-Side
* Compromised Accounts
*
* * Ad Platforms
* Financial Services
* Healthcare
* Publishers
* Retail & E-Commerce
* Saas Platforms
* Streaming & Gaming
* Travel & Hospitality
* Learn
* * Blog
HUMAN Insight and Research from our team
HUMAN Insight and Research from our team
* Case Studies
See what customers have to say about HUMAN
See what customers have to say about HUMAN
* Webinars
Videos and content about HUMAN expertise and industry intelligence
Videos and content about HUMAN expertise and industry intelligence
* * Resource Center
Blogs, whitepapers, research, videos, articles—all in one place
Blogs, whitepapers, research, videos, articles—all in one place
* Documentation
Details about HUMAN's products and interfaces.
Details about HUMAN's products and interfaces.
* Security
HUMAN's data security & privacy FAQ
HUMAN's data security & privacy FAQ
* * Satori Threat Intelligence Research Team
HUMAN’s Satori Threat Intelligence and Research Team proactively
uncovers and disrupts bot-driven threats.
HUMAN’s Satori Threat Intelligence and Research Team proactively
uncovers and disrupts bot-driven threats.
* Bot Insights
Get the insights you need to protect your business from bots
Get the insights you need to protect your business from bots
* * Account Takeover
* Ad Fraud
* Application Security
* Blocking Bots
* Bots
* Bot Detection
* Brute Force Attack
* Captcha
* Carding
* Credential Stuffing
* E-commerce Security
* Fake Account Creation
* PCI DSS Compliance
* PII Harvesting
* Shadow Code
* Supply Chain Attack
* Web Scraping
* Company
* * About
HUMAN safeguards against bot attacks and fraud
HUMAN safeguards against bot attacks and fraud
* News
HUMAN in the News
HUMAN in the News
* Careers
Find your next career move with HUMAN
Find your next career move with HUMAN
* * Leadership
Meet the elite bot threat hunters dedicated to making the internet a
safer place
Meet the elite bot threat hunters dedicated to making the internet a
safer place
* Board of Directors
Meet the minds behind HUMAN’s mission
Meet the minds behind HUMAN’s mission
* The Human Collective
Collective protection to fight ad-based fraud
Collective protection to fight ad-based fraud
* * Satori Threat Intelligence Research Team
HUMAN’S Satori Threat Intelligence and Research Team proactively uncover
and disrupt bot-driven threats
HUMAN’S Satori Threat Intelligence and Research Team proactively uncover
and disrupt bot-driven threats
* Partners
* * The Human Collective
Collective protection to fight ad-based fraud
Collective protection to fight ad-based fraud
* Partnerships and Integrations
HUMAN integrates with several technology partners, ensuring bot
mitigation success in any environment.
HUMAN integrates with several technology partners, ensuring bot
mitigation success in any environment.
* Resellers
Explore HUMAN's technology through channel partners, combining bot
mitigation and other security solutions.
Explore HUMAN's technology through channel partners, combining bot
mitigation and other security solutions.
* * Become a Partner
HUMAN collaborates with the world's leading technology companies
HUMAN collaborates with the world's leading technology companies
* Partner Portal
Log into the HUMAN Partner Portal for collateral, documentation, and
other partnership needs.
Log into the HUMAN Partner Portal for collateral, documentation, and
other partnership needs.
* Request a Demo
CONTACT SALES
Connect with a HUMAN bot protection expert to find out how our products can help
you meet your project deadline and security needs
BLOG
HUMAN Insight and Research from our team
THIS IS A TITLE
This is a subtitle
Some content goes here..
THIS IS A TITLE
This is a subtitle
Some content goes here..
THIS IS A TITLE
This is a subtitle
Some content goes here..
HUMAN Blog
THE PARTY’S OVER: HUMAN’S SATORI THREAT INTELLIGENCE AND RESEARCH TEAM CLEANS UP
“KONFETY” MOBILE AD FRAUD CAMPAIGN
By Satori Threat Intelligence and Research Team
Jul 16, 2024
Ad Fraud, Research & Detection, Threat Intelligence
Evil twins. Decoys. An abused and misused SDK named after candy.
It's like a dark fairytale, isn’t it? But this is no fiction. It's a cunning
mobile advertising fraud campaign that peaked at 10 billion bid requests per day
before HUMAN’s Satori Threat Intelligence and Research team disrupted it.
The scheme, named Konfety by the Satori team, involved an advertising SDK called
CaramelAds and an “evil twin” evasion method to operate undercover. The threat
actors maintained non-malicious “decoy” applications on the Google Play Store,
all of which used the CaramelAds SDK—not inherently malicious in and of itself.
The 250+ apps gave the illusion of being owned by different developers, even
though many are template-based games, most of which the Konfety actors owned. In
addition, HUMAN observed that the actors were also re-selling inventory for
applications they do not own directly.
As soon as HUMAN’s Satori Threat Intelligence team identified this activity, it
started to flag high-confidence traffic sourced from these applications. After
implementing countermeasures to protect our customers, we immediately began
observing adaptations in the ad networks targeted by the malware; the threat
actors switched their targets to ad networks not protected by HUMAN. Those who
have partnered with HUMAN for pre-bid mitigation and post-bid detection can rest
assured that they are fully protected from Konfety's impacts, providing security
in the face of such threats.
According to Google, Google Play Protect warns users and disables apps
identified to be "Evil Twin" apps. Google has been actively monitoring the
variations and protecting users over the course of its existence.
Check out our report if you want to explore more technical details and
understand the expertise of the Satori team.
Malvertising, Click-Baiting, and Drive-By Attacks, Oh My!
So, how was the Konfety group able to deploy its devious scheme?
The threat actors abused the CaramelAds SDK to simultaneously create a
stripped-down version of the SDK without GDPR consent to produce the evil twins,
which fraudulently generate ads using the publisher accounts from the Google
Play Store apps. The fraudsters created these “evil twins” in massive
numbers—something previously never before seen—and infected users via
malvertising, click-baiting, and drive-by attacks. The evil twins then:
* Modified traffic to appear as though it originated from any type of device
the actor chose
* Opened any URL using the device browser
* Did not perform any validation that the device was legitimate, that ads
rendered correctly, or other checks standard in well-established networks
Both the decoys and the evil twins used the CaramelAds SDK. However, they used
different domains for C2, with some hosted by the same IP address as other
CaramelAds infrastructure. The decoy apps contained the “full” version of the
SDK, which includes a GDPR consent notice. Evil twins only downloaded the SDK as
part of a second stage once the application was fully set up and used a
pared-down version of the full SDK, with only the necessary components to render
out-of-context ads. All the debug outputs and GDPR consent screen were absent.
Let’s take the ad fraud component of Konfety as an example. From an app user's
perspective, imagine getting a request asking if you want to open a Wikipedia
article in the app. The Konfety actors would use this technique to hijack your
phone screen and then:
* Display full-screen, out-of-context, hard-to-escape ads every few minutes
* Stack multiple ads at a time
* Exploit notifications to engage with you, the victim
Cleaning up the Konfety
The Konfety campaign demonstrates a new, innovative way cybercriminals conduct
ad fraud operations. The evil twin method aims to circumvent official app store
rules to enable criminal activity.
Before the HUMAN Satori team uncovered Konfety, the scheme peaked at 10 billion
daily fraudulent bid requests. The campaign affected multiple entities across
the advertising ecosystem, including ad networks, and could have affected
developers unknowingly using the CaramelAds SDK.
While the HUMAN Satori team could not tell how many evil twin downloads
occurred, it has developed signatures for the Konfety scheme. We are also
tracking any additional apps in openly available repositories, but the team did
not observe the Konfety threat on iOS. We have also provided our detection and
signature insight to external partners. As a result of these efforts, fraudulent
bid requests have substantially decreased.
HUMAN is dedicated to protecting the integrity of the internet and the
authenticity of advertising. We work to define industry standards and advocate
for adoption to protect the ever-evolving ecosystem.
If you’re part of the programmatic advertising ecosystem and want to harness
HUMAN’s industry-leading protection, contact us today.
Spread the Word
*
*
*
*
* More
Previous Post
RELATED POSTS
Blog Post
MEET A HUMAN: VIKAS PARTHASARATHY
Ad Fraud, HUMAN, Threat Intelligence, Modern Defense
February 2, 2023
Read Article
Blog Post
HUMAN'S BOTGUARD FOR APPLICATIONS: POWERFUL NEW CAPABILITIES AND INTEGRATIONS TO
STOP SOPHISTICATED BOT ATTACKS
Bot Fraud, HUMAN
July 15, 2021
Read Article
Blog Post
WHY HUMAN PARTNERING WITH AWS IS BENEFICIAL TO ALL
Ad Fraud, Bot Fraud
March 30, 2023
Read Article
Request a Demo
Platform
* Human Defense Platform
Packages
* Advertising
* Applications
* Accounts
* SOLUTIONS
* Ad Fraud Sensor
* Ad Fraud Defense
* Malvertising
* Ad Quality
* Scraping
* Client-Side
* Data Contamination
* Transaction Abuse
* PCI DSS Compliance
* Account Takeover
* Fake Accounts
* Compromised Accounts
* INDUSTRIES
* Ad Platforms
* Healthcare
* Streaming & Gaming
* Travel & Hospitality
* Financial Services
* Retail & Ecommerce
* SaaS Platforms
* Publishers
* Public Sector
Products
* HUMAN Bot Defender
* MediaGuard
* cleanAD
* Account Defender
* Code Defender
* Credential Intelligence
Company
* About
* News
* Careers
* Leadership
* Satori Threat Intelligence
Research Team
* Board of Directors
* What is The Human Collective?
Partners
* The Human Collective
* Integrations
* Resellers
* Technology
* Partner Portal
ROLES
* For Security
* For Fraud
* For AdTech
* For Marketing
* For Product
Learn
* Blog
* Case Studies
* Webinars
* Resources Center
* Docs
* Tech & Engineering Blog
* Patents
Contact Us
* Talk to an Expert
Request a Free Bot Risk Assessment
Locations
* New York City
* Miami
* Dallas
* Washington DC
* Tel Aviv
* London
* Victoria
© 2024 Human
* Sitemap
* Privacy Policy
* Notice to California Residents
* Cookies Settings
* Data Security & Privacy FAQ
HUMAN SECURITY COOKIE POLICY
We use cookies to ensure the proper function of this website and to improve your
website experience. For additional information relating to your privacy take a
look at our privacy policy.
Cookies Settings Reject All Cookies Accept All Cookies
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
Cookies Details
ESSENTIAL WEBSITE COOKIES
Essential Website Cookies
* STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be
switched off in our systems. They are usually only set in response to actions
made by you which amount to a request for services, such as setting your
privacy preferences, logging in or filling in forms. You can set your browser
to block or alert you about these cookies, but some parts of the site will
not then work. These cookies do not store any personally identifiable
information.
* PERFORMANCE COOKIES
Switch Label label
These cookies allow us to count visits and traffic sources so we can measure
and improve the performance of our site. They help us to know which pages are
the most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If
you do not allow these cookies we will not know when you have visited our
site, and will not be able to monitor its performance.
Cookies Details
Back Button
COOKIE LIST
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
*
View Cookies
* Name
cookie name
Confirm My Choices