Today, HUMAN’s Satori Threat Intelligence and Research team published a report summarizing a domain cloaking operation dubbed Camu.

At its core, Camu was a ruse by which digital content pirates could cash in on their piracy. The threat actors packed websites hosting pirated movies/TV shows with ads and set up the process for accessing that content so the pirated content showed up only if a user landed on the site by clicking on a link on a different website with a list of what content was available. If a user tried to go directly to the site hosting the pirated content, they’d find a benign blog. This hid the real context of the ads from brands checking their audit reports. 

Camu—named based on a loose translation of the Brazilian Portuguese word for “cloaking”—accounted for 2.5 billion bid requests a day at its peak, marking it as the biggest domain cloaking operation Satori has published to date. To put this figure into perspective, that’s the daily average digital ad activity for the city of Atlanta.

Operations like Camu represent the challenge to a threat actor in making digital piracy profitable:

• Server space. This kind of physical footprint—at least for the volumes needed to host numerous movies, TV shows or to stream live content—can add up quickly.
• Bandwidth. Network bandwidth to accommodate video streaming gets pricey fast, both on the pirated content gateway website (where a user finds a list of available content) and on the cashout website (where the pirated content is actually hosted and from where it’s played back).
• Infrastructure. Not to mention the fundamental risks in building an infrastructure to support openly illegal activity in the first place. Threat actors set themselves up for removal from common internet platforms, seizure of the domains they use to power the scheme, and even legal prosecution.

All of this underscores the need for threat actors to move quickly to monetize their digital piracy and cash out before they get shut down. And as digital advertising is one of the simplest ways for a threat actor to create a revenue stream, it’s often the mechanism of choice for a digital pirate.

Trusting audit reports

One critical takeaway from the Camu story is that audit reports can’t be trusted solely on faith. It’s a bit counterintuitive, to conclude that an automatically generated detailing of ad activity and performance can’t be taken as gospel, but that’s the crux of domain cloaking as it pertains to the digital advertising industry: the same URL on which an ad runs may look different from one viewer to the next. Audit reports are but one tool in an advertiser’s kit to assess the ROI of their campaigns. They’re certainly useful, but not every insight about a campaign’s performance can rely on that one tool.

That’s where a partner like HUMAN comes in. Since domain-cloaking operations are difficult to recreate without the context and expertise, an organization like HUMAN can be indispensable to ensure that brands have accurate, meaningful, and actionable information. Pair an audit report with HUMAN’s Advertising Protection and safeguard campaigns from being set up through a cloaking operation.

Good news, bad news

The very existence of an operation like Camu is a good-news-bad-news situation:

• On the one hand, the fact that it takes a degree of sophistication for a threat actor to bring a cloaking operation to fruition speaks to how much emphasis the digital advertising industry has put on fighting fraud. That’s worth celebrating; it wasn’t that many years ago that an operation like Camu might have been undetectable, or worse, unstoppable. The efforts of the community to prevent fraudsters from infiltrating the supply chain have been, on the whole, successful.
• On the other hand, however, success in ad fraud means threat actors have to work harder to find ways to make their schemes operational (active rewriting of referral information, as one example), and that in turn makes those schemes more complex and harder to identify. Piracy of digital content isn’t going anywhere, there’s simply too much demand (in no small part because there’s so much good stuff out there to watch). So while the industry has done well in combating ad fraud that doesn’t mean the industry can get complacent: it means we’ve all got to look even harder now.

Thankfully, organizations like the Human Collective exist for that very reason. Members of the Collective share threat details and metrics with one another to stay informed on new and emerging schemes, boxing out fraudsters from the ecosystem.

Where do we go from here?

In short, stay on the offensive. By continuing the hunt, Satori researchers reduce the time threat actors have to make a scheme profitable before it is identified. By applying protections from one attack throughout the Human Defense Platform, HUMAN makes it harder for a scheme to have a chance of being profitable for a threat actor. Staying aggressive against threats like Camu pushes threat actors to change their targets and their tactics, protecting the digital advertising ecosystem for everyone on both the supply and demand sides.

Satori has a long legacy of protecting the internet from its own worst elements, and Camu is but one more example of threat detection in action.