Today the world has learned the name of an advertising company who has been tracking ~1.3 billion people per month via their access to the global advertising bid stream and selling that data via a subsidiary they own. This includes selling mobile data from U.S. military service members in Europe.

That company is Eskimi – eskimi[.]com.

@404 Media and @Wired are out with pieces today already –
https://www.404media.co/eskimi-2/
https://www.wired.com/story/rtb-location-data-us-military/

Now what does this mean for the world?

As I said in the articles, “There’s a global insider threat risk, from some unknown advertising companies, and those companies are essentially breaking all these systems by abusing their access and selling this extremely sensitive data to brokers who further sell it to government and private interests.”

Essentially, the global advertising bid stream is a giant trust fall, which companies like Google are failing to police. Companies like Eskimi would never have access to this amount of data unless they are approved by companies like Google via their “Authorized Buyers” program. And currently, Eskimi is still in this program and still right now ingesting bulk advertising data all over the world.

But how didn’t Google catch this? How did this go on for years without any public disclosures or serious investigations? How did Google miss that Eskimi has a subsidiary called RedMob (redmob[.]io) which openly brags about the advertising data they are selling?

At this point, knowing what the public knows about these advertising systems, how they have been used for offensive attacks and used to track sensitive people, including members of the government and military, why isn’t more being done?

Why does Google keep acting surprised that the global advertising bid stream - the RTB ad tech flows – are powering the global data broker ecosystem?

Everyone who has bought data from a global data broker knows that the vast majority of the data contains “Mobile advertising IDs” (MAIDs) - IDs created by Google and Apple via software on their devices. And yet Google and Apple continue to do nothing to evolve these ID schemes?

And Google is not only providing the join keys to track people via these MAIDs, they are also approving companies like Eskimi to access the bulk data in the bid stream!

The world can not continue ignoring the threat of data brokers who are allowed to operate unrestricted within the global advertising bid stream. We can not keep ignoring that advertising systems power *all* of the major data broker schemes.
I’m personally horrified that Eskimi has gone this long without any scrutiny, but not shocked that Google gave an unserious answer about how they would police this behavior. Companies like Google who control both the ID schemes and the access to the bulk user data, need to get far more serious about investigating all of the companies that have access to this sensitive waterfalls of user data.

I stand behind my position that advertising companies are merely surveillance companies with better business models, but don’t think the public should accept that as a permanent reality.

Please take the time to read these pieces and internalize what this means for everyone in the world. Ad tech data is being used to track not only U.S. military members in Europe, it’s tracking essentially everyone who doesn’t turn off their MAIDs. If you are a member of the ad tech community – what are you going to do about the state of the industry that is facilitating this type of abuse?

It's been over 2 years since Google said publicly (https://blog.google/products/android/introducing-privacy-sandbox-android/) they were moving forward with plans to deprecate the Android Advertising ID. This is the #1 thing that Google could do to improve privacy outcomes and reduce the ability for data brokers and random orgs / people from being able to track Android users. Changes here would gut the current data broker ecosystem. Google just needs to do what they said they would do, and the world will be far more safe and private.*

*There are still plenty of problems with the advertising bid stream Google operates but fewer public promises for reforms there.

Remember that polyfill[.]io supply chain attack from a couple months back that SanSec first reported on? A company called "FUNNULL" out of China were behind it. But wait, our team at Silent Push knew them?? 👀

Today, our team at Silent Push released a massive report about China threat actors associated with FUNNULL. We're dubbing the network "Triad Nexus" and there are a ton of details that are important for folks to appreciate.

Read the research @ https://www.silentpush.com/blog/triad-nexus-funnull/

@lorenzofb at @Techcrunch wrote up the research this morning "Researchers link Polyfill supply chain attack to huge network of copycat gambling sites" @ https://techcrunch.com/2024/10/22/researchers-link-polyfill-supply-chain-attack-to-huge-network-of-copycat-gambling-sites/

To give a little context to the research:
Our team at had come across FUNNULL 2+ years ago because they were one of the hosts that a network of pig butchering job / investment scams were using. We wrote up that research publicly @ https://silentpush.com/blog/fake-trading-apps/ but didn't mention FUNULL publicly at the time....

FUNNULL was not only hosting pig butchering scams, but also were directly behind the big polyfill supply chain attack, so we started work on the report released today. We were able to map out the FUNNULL CDN clients and realized ~all were borderline or clearly criminal schemes.😲

On FUNNULL today, there's a retail phishing campaign which targets:
Aldo, Asda, Bonanza, Cartier, Chanel, Coach, eBay, Etsy, Gilt Groupe, Inditex, Lotte Mart, LVMH, Macy’s, Michael Kors, Neiman Marcus, OnBuy[.]com, Rakuten, Saks Fifth Avenue, Tiffany & Co., and Valentino.

Beyond the retail phishing campaign and pig butchering scams hosted on FUNNULL, we quickly realized that there were tens of thousands of online gambling websites in Mandarin hosted on this CDN. But surprisingly, most of the websites looked very similar...

Once we found the cluster of online gambling websites, we started to analyze the total number of brands seen here -- and we found a dozen unique brands, mostly orgs out of China. But why did these brands have these similar looking websites cloned across thousands of domains each?

During the course of the reporting process, we came to realize that the brand bWIN, among the brands with sites, was claiming they had *nothing* to do with the sites featuring their brand on the FUNNULL CDN. So why would someone create thousands of sites with their brand? WTF??

Our team continued to investigate the online gambling websites and we were able to find a template hosted on a Github repo that was referenced in FUNNULL source code which was about "跑分" -- basically Chinese slang for money moving/ money laundering.

We continued to investigate the money moving network associated with FUNNULL and came to realize the Telegram accounts promoted on these pages were signing up clients for these schemes. A whole network of telegram accounts is being used for this which look like:

We also realized that among the gambling brands being used on the FUNNULL CDN, it included the brand "Suncity Group" -- this brand may be ~unknown in the Western world, but they are behind one of the largest money laundering rings in the world. Their FUNNULL sites look like this:

Suncity Group may similarly be having their trademarks abused, just like BWIN, but Suncity's CEO is facing 18 years in jail in China, along w/ dozens of SCG executives, and they were alleged to have laundered $40 billion through casinos and gambling junkets.

Suncity Group was also featured in a U.N. report about money laundering and organized crime earlier this year @ https://unodc.org/roseap/uploads/documents/Publications/2024/Casino_Underground_Banking_Report_2024.pdf // SCG is credibly alleged of laundering millions of dollars for Lazarus Group -- the North Korean hackers.

So what we've found at this point is a Chinese network hosting tens of thousands of online gambling websites, which are clones of each other, using ~12 different gambling brands on the sites. One brand has publicly claimed no affiliation to it and their brand is being abused...

On many of the FUNNULL gambling sites in Mandarin, there are "Tether deposit bonuses" and what is basically a Tether lottery.

And to make matters worse, most of the websites -- from the retail phishing websites and pig butchering scams, to these murky online gambling websites -- they are renting IP space from Microsoft and Amazon. And Microsoft has been renting to them since at least 2021!

Our team believes that once this shakes out, FUNNULL or their largest client is likely operating a fake online gambling ring abusing the trademarks of a dozen major brands for the purpose of money laundering. We hope none of the casino companies are directly involved, but TBD.

It seems clear that both Amazon and Microsoft and other vendors who have been selling IP space to the FUNNULL CDN haven't done proper due diligence on the content hosted on these websites. We found ~nothing that was legitimate -- from pig butchering investment and job scams, to hundreds of retail phishing websites, and tens of thousands of online gambling websites with murky purposes, It is all borderline or clearly illegal content.

Our investigation into the FUNNULL CDN is massive and I couldn't include all the details from our investigation in this thread. Take a look at the research @ https://silentpush.com/blog/triad-nexus-funnull/ and don't hesitate to ping if you've ever seen something similar or have any details to share!🌩️⚖️

This past week some of my team's work at Silent Push about our efforts to track FIN7 / Sangria Tempest was featured in the RecordedFuture Click Here podcast.

"The Hunt for FIN7: Hot on the trail of a notorious cyber gang" @ https://podcasts.apple.com/us/podcast/164-the-hunt-for-fin7-hot-on-the-trail-of/id1225077306?i=1000668983615

"Mic Drop: FIN7 is hiring" @ https://podcasts.apple.com/us/podcast/165-mic-drop-fin7-is-hiring/id1225077306?i=1000669405301

Our FIN7 research from a few months ago is @ https://www.silentpush.com/blog/fin7/

The second podcast "FIN7 is hiring" is particularly interesting because this is the *third* time that FIN7 has spun up a fake cybersecurity company to potentially recruit unsuspecting collaborators. Their current site is cybercloudsec[.]com so uh don't do any pen tests for that firm, ya?

Fin7 aka Sangria Tempest is back on their bullshit w/ scaled up infrastructure attacking a wide range of Western targets. We’ve been working on this massive report for months and now can publicly explain that Fin7 has over 4,000 domains and IPs they are using for these attacks.🧵

Read the Krebs on Security post “The Stark Truth Behind the Resurgence of Russia’s Fin7” @ https://krebsonsecurity.com/2024/07/the-stark-truth-behind-the-resurgence-of-russias-fin7/

Read our full piece @ https://www.silentpush.com/blog/fin7/
Fin7 has been operating for over a decade, with DOJ noting there were 70+ people (https://www.justice.gov/usao-wdwa/pr/high-level-organizer-notorious-hacking-group-fin7-sentenced-ten-years-prison-scheme) within this financial crime group, “...organized into business units and teams. Some were hackers, others developed the malware installed on computers, and still others crafted the malicious emails that duped victims into infecting their company systems.” Over the last few years there was a huge push by the DOJ/FBI to take down their network, which resulted in 3 indictments and a bold statement by the DOJ in 2023 that “Fin7 as an entity is no more.”

But just weeks after the DOJ made their bold / ridiculous claim, Microsoft Threat Intelligence was already publicly saying “Financially motivated cybercriminal group Sangria Tempest (ELBRUS, FIN7) has come out of a long period of inactivity.” https://x.com/MsftSecIntel/status/1659347799442432002

For most of 2023, Fin7 was operating quieter than normal and there were few public reports about their attacks. But starting in 2024 that all changed, and there have now been reports from several respected cybersecurity companies about niche attacks they have seen through their own client visibility.

But at Silent Push, we don’t rely on client data for visibility - it’s our own data from our own scanning methods. And we scan the internet billions of times per day, at a scale that makes it possible for us to track all types of threats. We ended up getting a lead from a source which helped us pivot into more… and more… and more of the new Fin7 infrastructure.

For the past few months we’ve been sitting on thousands of their domains – watching the content change – testing and understanding their orchestration methods — and collaborating with clients and peers in the industry to ensure we knew what was going on and their targets were being warned.

During this process, we picked up phishing and malware delivery infrastructure targeting numerous major brands. Some of those include: Louvre Museum, Meta, Reuters (and WestLaw), Microsoft 365, Wall Street Journal, Midjourney, CNN, Quickbooks, Alliant, Grammarly, Airtable, Webex, Lexis Nexis, Bloomberg, Quicken, Cisco (Webex), Zoom, Investing[.]com, SAP Concur, Google, Android Developer, Asana, Workable, SAP (Ariba), Microsoft (Sharepoint), RedFin, Manulife Insurance, Regions Bank Onepass, American Express, Twitter, Costco, DropBox, Netflix, Paycor, Harvard, Affinity Energy, RuPay, Goto[.]com, Bitwarden, and Trezor.

Software being targeted includes 7-zip, PuTTY, ProtectedPDFViewer, AIMP, Notepad++, Advanced IP Scanner, AnyDesk, pgAdmin, AutoDesk, Bitwarden, Rest Proxy, Python, Sublime Text, and Node.js

We also discovered a new cybersecurity shell company cybercloudsec[.]com – which aligns to past Fin7 TTPs (https://www.justice.gov/opa/press-release/file/1084361/dl?inline). Fin7 previously created a fake computer security company called “Combi Security” which was used to recruit new members and further their attacks.

Some of the new Fin7 infrastructure will redirect some visitors to malicious phishing pages and other visitors to boring shell websites. We saw this behavior with the domain escueladeletrados[.]com which for some visitors looked like a random commercial website and other visitors were redirected to a phishing page targeting Alliant Credit Union.

We picked up Facebook Business Manager phishing pages with slick phishing kits integrated into them.

We even picked up a custom Louvre Museum phishing page that looks identical to the real thing, and is potentially targeting Paris, France visitors to the Olympics right now.

Fin7 is targeting the users of popular website host Wpengine with multiple domains setup for phishing.

We’ve also recently seen a new crypto phishing widget that Fin7 was testing on a new site, which targeted Coinbase, Metamask, Rainbow Crypto Wallet, Ronin Wallet, OKX Wallet, Trust Wallet, Exodus, Phantom, and WalletConnect. We expect to see increased crypto targeting from Fin7 in the near future.

Fin7 has also been targeting CNN + WSJ + Reuters — three major news organizations each have malware named after them which is being served to users who find their way to one of the Fin7 pages that pushes a fake browser extension. We’ve seen the WSJ + Reuters phishing pages and they look like exact copies of the real news websites. We haven’t seen a live CNN malware delivery page yet but believe they could exist or will sometime in the near future.

Fin7 also has malware delivery infrastructure that spoofs Microsoft Sharepoint.

I could go on and on about what Fin7 is doing and why everyone in the cybersecurity community needs to get them back on their radar, but I’d encourage folks to review the Krebs piece @ https://krebsonsecurity.com/2024/07/the-stark-truth-behind-the-resurgence-of-russias-fin7/ and our full research @ https://www.silentpush.com/blog/fin7/

Don’t hesitate to reach out with any questions or new leads for tracking Fin7 – thanks for everyone’s work to slow down these folks new operations!

Early this morning our team at Silent Push shared some research into .gov.uk council websites that contain online ads, along with ads.txt files which includes a historically problematic Chinese vendor.

Within hours of the research going live, the vendor in charge of those websites agreed to remove the vendor from all the sites. View some of the coverage @ https://www.theregister.com/2024/04/24/ads_on_gov_uk_websites/

And our original research @ https://www.silentpush.com/blog/chinese-adtech/

This is also the casual announcement that we've got ads.txt + app-ads.txt + sellers.json data in our *free community platform* (SilentPush.com) -- along with a new private API we're testing as we work towards full release.
We've now got more ad tech data than any source to my knowledge. Have fun!

The U.S. Government finally approved a GDPR-like framework for people who travel to Europe, which essentially ensures that people can exercise rights under GDPR once back at home. If there are problems the Department of Commerce steps in with the support of the Department of Recreation via the Department of the Interior. Orgs covered under GDPR/ this new framework have 180 days before compliance. The public comment period has already begun! Additional details @

https://www.recreation.gov/api/redirect?account_id=32dd40e4-07fa-5832-adb6-e94b3d1a05e5&url=https://www.youtube.com/watch?v=dQw4w9WgXcQ

My presentation “International Threat Actors are Targeting Children to Steal Money from Banks & Major Corporations” from BlackHat USA 2023 was just released! 🎉 ⚖

If you’re interested in complex ad fraud scenarios involving corporate threat actors *that are still happening right now this very moment* then please take the time to watch. You’ll see some big brands in the presentation, and I specifically call out several mobile attribution providers who are being targeted by these threat actors.

https://www.youtube.com/watch?v=bYS4YvwmF8o

Some of this research was covered by WIRED last year @ https://www.wired.com/story/poison-pdf-scam-fortnite-roblox/ but there’s a lot more to this story that I’ll eventually be sharing with folks.

But for now – just a little reminder that these folks love to compromise infrastructure - they automate huge amounts of spam - and they are targeting children with video game scams which end up defrauding major brands via their Cost-Per-Action / App-install schemes. 💸 💸 💸 💸