BADBOX 2.0

Speaker 1: That was pretty cool. It was cool and it was scary at the same time. We were like, how how deep does this go at this point? You know, we're you know, and we were looking and and I still look at these as kind of like they're like sleeper cells.

Speaker 2: So Google recently filed a lawsuit in New York federal court. And I was reading it, and I thought to myself, this sounds very familiar, and I wanna see if you recognize it, Scott.

Speaker 3: Also, I just have a quick question. When you're on planes, do you often just read legal filings? Because I think that was maybe the kickoff to an episode, like, two or three episodes ago where you had spent the entire plane ride just reading a court case?

Speaker 2: It's a very personal question, Scott, and I'm offended that you would ask. The lawsuit. Yes. I do. The lawsuit is Google versus 25 different does, as in John Does, as in Google versus 25 anonymous defendants. Google alleges, basically, that a group of currently unknown operators ran a botnet built out of millions of cheap, uncertified Android devices. TV boxes, tablets, projectors, the kinda sketchy consumer electronic slop you see on, like, Amazon, and you're like, how is anything this cheap, let alone, projector? According to Google, the devices were coming pre compromised from the factory. And once people plugged them in at home and connected them to the Internet, the device then connected to and became a node in this giant botnet, a swarm of computers that the operators could use for ad fraud or click fraud or even to sell people's home internet connections as, like, residential proxies for other cybercrime. Control a bunch of compromised internet connected computers, and you can get into all kinds of very profitable trouble with it. The idea here is you ship the devices already infected, and let the end user just plug it in for you. And I thought, this sounds so much like a crime spree that we reported on last year called Badbox. The name of the botnet in this lawsuit filed by Google, Badbox two point o.

Speaker 3: Shocking.

Speaker 2: And who does Google credit with the joint research into Badbox two point o that led to this lawsuit? The same folks we talked to last year.

Speaker 3: So? So. We've got those people back.

Speaker 2: We've got our first oh, call it a sequel episode, Scott. Oh. Badbox two. Badbox two

Speaker 3: part part two.

Speaker 2: Too too bad too two two box.

Speaker 3: We'll update the previous episode to be part one.

Speaker 2: Bad box two box harder. The bad box rises. Bad box twenty forty nine.

Speaker 3: Why are

Speaker 2: there so many of these?

Speaker 3: The, the supply chain attacks, like, the things that like this like, you know, coming pre compromised Mhmm. Being delivered out into the world, people plugging them in, them them seamlessly functioning as they they're supposed to.

Speaker 2: You got it.

Speaker 3: But then also being a malicious device that's controlled from a third party from somewhere else just seems so 2025. You know?

Speaker 2: I bought this $43 projector, and something's up. Yeah. A 100%.

Speaker 3: The proliferation of Android across all of the cheap electronics that we get these days and just how plug and play it is to put onto tiny little pieces of hardware. It gives us this control interface, this programming interfaces. It does so much for the developer, creator, inventors, but it also has created an ecosystem that they know how to operate with it and it has all of the network functionalities. You could drop a rootkit into an image of Android that then goes on to 1,000,000 TV boxes or Fire Sticks or, you know, whatever you wanna call them, millions projectors, Wi Fi nodes, you know, all of the I'm looking at my desk and all of the tiny electronic things on them, and I'm like, oh, I wonder if my audio interface control system is Android based. Probably is. Mhmm. So

Speaker 2: And when you look at the cost of developing a piece of, like, electronics hardware, the Google Mobile Services certification that when we talk about an uncertified versus a certified Android device

Speaker 3: is

Speaker 2: thousands to tens of thousands of dollars per SKU. Each object that you make that you wanna have certified by Google to say this is safe, this isn't coming pre shipped with malware, plus thousands of dollars. In the context of a product that costs millions of dollars typically to make, that's a pretty small drop in the bucket. Totally. When you're sending selling a $17 Android box in certain markets, it makes zero sense to incur that cost. In a lot of cases, it's simply a cost saving measure, but it also opens this this little door for this whole other track of behavior that we've been looking at in this series of stories.

Speaker 3: Well, I'm gonna make a weird comparison here and maybe, like, a lead into this. But it you know, like, the end user license agreements that you have in all software that nobody reads?

Speaker 2: Yep. I read those on planes too.

Speaker 3: Yeah. Of course you do.

Speaker 2: I do.

Speaker 3: I feel like they have developed in society, a cause and effect or an action and response of just hitting the approve button. Mhmm. Like, we've just spent money on something. We bought something. We just have to approve this engine license agreement to use what we've bought.

Speaker 2: Yeah.

Speaker 3: So we don't really do any investigation. Like, that that contract could state any number of things in it, but nobody really looks into it. You know, a few a few key reporters will dig into ones that they think of, you know, might have some issues and things like that. But but in in in mass, we just hit approve. Next, continue. I agree. Check the checkbox. Scroll to the bottom if you have to. You know, we all know the the process of getting past those. And I think that they've just that has developed in us a complete and utter disregard for things that might damage us. And buying cheap electronics from a third party in a foreign country that comes shipped stock with default malware installed is is something that we just don't even think about. We're like, oh, I want my cheap TV or I want whatever the the cheap cheap product that I'm purchasing delivers me. And we just hit I agree, we scroll to the bottom, and we click next. And I I feel like it's the same loop with this. You know, we we have no more criticism, critique of what we're doing and what we're buying and how we're using it. We just assume that it's fine, and it will be fine. And I want I want the convenience and the outcome, and I agree.

Speaker 2: In 2019, I signed away power of attorney to a smart toaster.

Speaker 3: I don't know if you're joking. I

Speaker 2: only I only know that I'm joking because I've never bought a smart toaster.

Speaker 3: There you go.

Speaker 2: But I have a lot of electronics that, like, who knows what was in that terms of agreement? I feel you.

Speaker 3: Yeah. Exactly. Like, I'm I'm looking at five monitors right now and have 12 pieces of software open, every single one of which I've accepted an end user license agreement, none of which I've read.

Speaker 2: We we have an interview to get to, but isn't it great when you buy an electronic product and you turn it on and it starts working and there was no, like, oh, I didn't have to sign into I didn't have to create an account in an app and scroll past a bunch of legalese. It just turned on. Yeah. This little field recorder I use for recording audio just

Speaker 3: were

Speaker 2: turned on out of the box. It's magical. But I digress. In the last year, bad box has changed. It has grown significantly. Bad box one point zero affected roughly 74,000 devices. Bad box two point zero, the one Google is suing over, the one the FBI has just recently issued a public PSA about, the one that has spread to 222 countries and territories, infected conservatively over a million devices. That's according to Human. Google's complaint, the lawsuit, alleges more than 10,000,000 uncertified devices involved. Those are radically different numbers. It's almost like Google, and we talk about this in the interview, has access to a much larger surface of information than literally any other body in the world when it comes to sketchy stuff on the internet. The point is this thing that human had done all of this really good work to try and slow down and had made real inroads on was now is now spreading, and is bigger and worse than before. And I had questions. So I got on the horn with Gavin Reed over at human to just sort of throw those questions at him. How do you kill something like this? How does it come back to life? And are there banger deals and consumer electronic slop I should be taking advantage of? Or should I just assume it's all getting put onto pallets full of malware? Like the projector I almost bought probably.

Speaker 3: For $14.99.

Speaker 2: It's $19.99. I go for the good. Yeah. Good. Good. Ready to get into it?

Speaker 3: Let's go.

Speaker 2: Let's do it. This is VP of threat intelligence at human, Gavin Reed, on this episode of Hacked. Gavin, thank you so much for taking the time to sit down and talk with me about this.

Speaker 1: Jordan, thank thanks for inviting me. Looking

Speaker 2: forward to it. So last year, your colleague, Lindsey Kaye, she's the, VP of Threat Intelligence, talked with me on the show about Badbox. I was fascinated by the scale of this. I was also fascinated by the idea that it's it seemed in at least part of the answer to the question, what is the catch with, like, too good to be true electronics on, say, Amazon or something, or maybe too cheap to be good. And now, a year later, we're here talking about the two point o version of the story because the FBI just warned that Badbox two point o had infected over a million consumer devices across 222 countries. To start, paint me a picture of this thing at a high level. What is going on inside of these cheap gadgets, things people are plugging into their TVs, things people are logging into their accounts on? Take me through this at a high level.

Speaker 1: Sure. And, you know, it's it's it's interesting because people think sort of, like, almost like natively that maybe there's an issue with buying some really cheap, appliance and plugging it into my home network. Right? They they sort of instinctively feel that maybe it's not a good idea, but there hasn't been, like, a really good or great use case of exactly why that's a bad thing, I think, up until Badbox. And and, of course, you know, Badbox we knew with Badbox, the money is still there even though, you know, we managed to turn down how they were profiting off of Badbox. One, that, the capability, the whole sort of network to do that sort of thing didn't go away. It's still there. Right? So we, you know, we figured they would be, kinda licking their wounds and figuring out some new ways to do, you know, what they had been so successful in the past. And and, obviously, you know, concerns being that they would have learned from what, you know, we used against them the last time and and potentially get better about that. So, like, you know, with bad bad box two or, you know, as as, sort of bad box one came to an end, there were certain things that we were you know, didn't necessarily publicize that allowed us to keep a a kinda close view onto what this particular group of threat actors are doing. And and to be clear, you know, we're talking about, you know, a loose network of of threat actors or or, you know, they probably call themselves businessmen, that are doing this, but it's not limited to, you know, what we've exposed in bad box two. So in bad box two, we're, you know, we're looking at some very specific people that were behind, you know, in profiting off of bad box one. There are other groups that are doing similar stuff too. And, you know, this is just one, potential network that that's doing this. And, you know, one of the things I like to say about Badbox two is it's bigger and it's badder. Right? If you look at you know, we had hundreds of thousands in bad box one, which we thought was bad enough. Right? And and now we're seeing millions. And so not only, you know, have they sort of looked and, you know, figured out what they could do better, how they could be more effective, how they could spread further, how they could avoid detection, how they could, you know, potentially make, you know, even more money off of what they were doing. And they've taken advantage of that. And so as they've come back with Bad Box two, you know, that you've seen our blog and and the various materials about, their the numbers are much, much stronger. So the you know, what was, you know, maybe, an interesting turn of events in Bad Box one and something you'd wanna watch too suddenly became very mainstream with Bad Box two.

Speaker 2: I wanna talk about the scale of Bad Box two. But you very briefly, you alluded to, in the first iteration of this, things that you didn't really publicize. Is there anything since then that wasn't originally publicized that you can tell us about that first iteration?

Speaker 1: Like, you know, what did what did we keep behind what did we keep and not share?

Speaker 2: You know, they're just Build

Speaker 4: their secrets.

Speaker 1: They're yeah. I'm not gonna, you know, go into to the detailed specifics, but understand that, you know, we released, I don't know, maybe, like, 200, 300 different IOCs of of how these guys work and how they set up. And there were some critical ones you could think of, you know, like, as you maybe trace your way backwards, like, from, you know, the end device. Right? That's not so critical to a an operation like this. But as you go further and get closer and closer to, you know, where these devices are being maintained and, you know, updated from, then suddenly those IOCs become a lot more interesting. So kinda work work your way inwards closer to the threat actor groups. And some of those, you know, we've we've continued to monitor.

Speaker 2: You alluded to this. Last year's, you know, bad box campaign hit in that low 6 figures kinda number. This time, kind of at the moment we're talking about this, you're pegging it kind of in the millions. Google's numbers were estimated at around 10,000,000 affected devices. Like, what changed between then and now that this thing has grown so much in size?

Speaker 1: Yeah. Well, you know, a lot changed, and and we, you know, talked sort of briefly about it already, but they looked at what they got caught up in in Badbox one, and then, of course, got better. And so let's go into a couple of those things, that have allowed them to be, you know, you know, have a bigger spread. And and first off, let me just comment on, you know, the maybe the numbers difference between Google and and ours. You know, again, Google's painting a broad stroke there of Android based, CTV type, you know, activities across multiple different threat actors, many of which are linked, to Badbox and some of which are not. Also, Google has a much better visibility into like, we have certain level of visibility into this, but Google has a a much better one. And, as we've done some sinkholing on the bad box two domains, now we're starting to see, you know, a much bigger spread because there are, you know, components of this that we did not necessarily see. And so we're still seeing, you know, millions of these boxes specifically for Bad Box two alone that are that are sink hold at this moment. But to to focus back on, you know, why why they were successful. So, like, with Badbox one, one of the, you know, one of the things that, you know, made them successful and and made it kinda unique is that they had, basically embedded the, you know, the the malware at the firmware level at at at or near the factories. So that's a strength. Right? Because you can't get rid of it, but it's also a bit of a weakness because there was only one way that they could get infected. It was through this and, you know, there there was no way to really add to the numbers once it had left the factory. And then, you know, look you know, looking into it, there was just one backdoor, Triada, in Bad Box 2. We have counted hundreds of different backdoors. So they obviously thought, okay. These guys are looking for Triada. They're gonna find it again if we use it, and so let's diversify. Let's, you know, diversify in the types of backdoors that we put in. And so a lot of them are really you know, there could be backdoors that are campaign specific. So they were, you know, targeting a particular group, country, geography, you name it. And there's some, like, slight differences in that backdoor than another backdoor. Majority of the stuff's the same, but there are some slight differences. So having that diversity of backdoors is one way that they achieve that. But, you know, the the bigger thing as far as that goes, is the fact that, as they were as they were creating, Badbox two, they thought, like, you know, we had all these you know, we have this firmware installation, and it had hard coded IP addresses. And so they could, you know, just sync all those and it would go away. And, so, you know, what they decided to do is that they would, you know, they would continue with that pre installation backdoor. Continue to do that. But then they'd have some that weren't really backdoor ed, but as soon as you plug them in, they would reach out to a c two and download, you know, the backdoor. So they had another way of, you know, constantly reaching out to making sure that if they wanted to update, like, a different IP address or a different backdoor, different module, they could do that. So they just had these boxes that weren't factory. You know, they didn't have the malware. They didn't have the backdoor, but they did have a call out to a particular c two who would download that and put it on the system, which they controlled. Right? So if we knew about one of them, they could potentially go to another one. And and then lastly, and and probably most importantly, is they did this sort of bundling that backdoor into third party or unofficial, app stores. And so they could do, you know, the way that, you know, people typically get malware through things like drive by downloads or they're enticed to, you know, download something or, you know, that some kid and they're you know, they wanna get, you know, Roboblocks money or whatever, and they click on something. And there's a game and you have to play it and you have to download it. Well, guess what? That came with bad thoughts on it. So they they, you know, diversified their, you know, backdoors, and then they diversified the way that they got those backdoors onto platform so that, you know, they, you know, they were looking at two sort of critical ways that we could stop them so quickly last time to make sure that that wouldn't be the case this time.

Speaker 2: I wanna talk about that kind of moment when you sink hold the operation in a second. But first, you you made reference to the fact that broadly speaking, this compromise starts on the factory floor. These devices are being shipped with this compromise, and that that's both, like, a strength and a limitation of this. I wanna understand the moment for you and the team. Like, what was the moment when you all first realized these devices are shipping pre compromised? Was there, like, a smoking gun? Did you just order one, plug it in, and go, yep. That shipped pre pre compromised. What was that moment like for you and the team?

Speaker 1: So, you know, it'll have to go back to Bad Box one, but certainly, you know, we we suspected that. And so then what we did is we started to to buy these from all over the place, from brick and mortars, you know, online, just sort of around where we could. And then, yeah, we we were seeing these coming shrink wrapped. You know, it looked like, you know, from the factory. And so that that was, you know, pretty clear indication that what we thought was happening, but was happening. But then I think, like, the real, sort of moment came when we ordered, and got some, got some telephones. They were also shrink wrapped from the vendor involved, and those came, pre baked with, so that at that point, like, you know, there could be a lot of things that happen, you know, between a a retailer that's, you know, shipping lots of different products. But when you start looking at, you know, phone manufacturers and their relationships with particular carriers and stuff, then, you know, that seems a lot more likely that it is coming directly from the factory with no knowledge of anyone in the in between there. So and that that was pretty cool. That was it was cool, and it was scary at the same time because we were like, okay. How how deep does this go at this point? Like, you know, we're you know, and we were looking and and I still look at these as kind of like they're like sleeper cells. They, you know, they sit there. They sit on your network. I've been I've been working, you know, with one here, you know, at my house, obviously, with a bunch of controls in place. And and it does some really scary stuff that, you know, there's things that it that it does that I'm like, man, I you know, I wanna wanna be real sure about my VPN and and all of the guardrails I have in place because this is this is not good.

Speaker 2: I'm curious just very briefly. Like, we we've talked about a few of them, you know, TV Android TV set top boxes, some phones. Are there any other kind of devices that we're talking about here? I saw projectors and some of the materials, like, way any other, you know, types of devices?

Speaker 1: Yeah. I mean, you know, there's a there's a and that's another thing. They broadened out the types of devices that they're using for for Badbox two to to have more success. And, you know, like, one of the you know, we we see tons of these tiny little TV mini sticks. So they're, you know, Android open source operating system running on a thumb drive basically that you can buy for almost nothing. So we've seen a bunch of different, types of those. You know, again, we've seen a bunch of tablets. You know, we've seen a bunch of different generic an Android phones that have this on. We've seen, you know, multiple, you know, tens, if not hundreds of different TVs, CTV boxes. And then kind of one of the more interesting one ones for me is these Android car systems. You know? And I I put one of these in, one of one in in in my partner's car the other day. And it's, you know, it's if you, you know, your nav system's old or you want a new one and you don't wanna have to to to pay a lot of money for it, you can go buy it's basically a tablet and it has, like, Apple TV or sorry. Apple, you know, the Connect and and the and an Android Connect all sort of running in Yeah. Over the, you know, in the auspices of the Android open source operating system. And then you can do things like, you know, have maps and all the rest. And we saw a bunch of those that were compromised too, which is, you know, again, just shows that they were casting a very, very wide net with the understanding that the more, you know, if you start, you know, as we start getting into, you know, what they do to monetize this, one of the ways that they can monetize it is if they can have a really broad net dispersed all over the world, and Right. They don't have to use one box for very long. They can spend a little bit of time on every box and then keep the reputation of those boxes high in, you know, groups that track, say, IP or other reputation. So So that when they come to do whatever they're gonna do on a website, they look like a consumer.

Speaker 2: I got dangerously close to buying a suspiciously cheap projector last year when I remembered, there is a too good to be true in all of this. And, I'm glad I did. So you start testing these devices. You're noticing that they're they're calling back to some they're calling back somewhere. I wanna talk about the moment you start sync calling the operation, redirecting all the traffic. When you see where these things are calling back to, what did that traffic tell you about how widespread this really was? What did you learn from that part of the process?

Speaker 1: So yeah. I mean, before we started sink holding them, we knew, you know, we could see, through network analysis where they were calling in. We could see through, you know, reverse engineering, you know, the payloads, sort of where they were calling in. And there was a certain commonality, and I forget bad box, too. I think we had, like, about a 150 commanding controls. You know, some of the each of them doing to some degree different things. So we had a really good idea of, you know, where they were calling in, where they were being controlled from, but we didn't necessarily know how many devices we're calling in. And so when we, when I should say we, when, the shadow server foundation, you know, working working with us and working with Google started to sinkhole those, command controls, then we just saw all these devices that were, you know, constantly calling in, looking for new instructions, you know, from the bad guys, now calling into those sinkholes. So and the sinkholing bit, you know, that was sort of at the very end. We did that, you know, really, you know, it was it was right about when we released our public blog because we didn't want to you know, we we we're pretty, sure that we had a handle on exactly what was going on with that and what was gonna happen post sink holding, but we didn't want to give the threat actors any sort of, you know, look into, hey. This is gonna be mitigated soon, so maybe it's a good time to try and change things around so that they can escape or update these boxes so that they aren't as dependent on the sinkhole on the sinkhole c twos that that they ended up being. So you didn't wanna give them any heads up on that. So this is really it was kind of like the last action that happened, at the very end of, you know, over a year of investigation and working with various teams, various groups, including law enforcement on, you know, how how can we better get an understanding of the scope and who's involved and what can we do next to to make it hard for them to continue to make money.

Speaker 2: I mean, you you set it up pretty nicely there who was involved. What if you learned about who was behind all of this?

Speaker 1: Yeah. So there, you know, there's a number of the same kind of threat actor groups that were behind Bad Box one. And, you know, we've named them, sale sales tracker group and, you know, they're the sort of original bad box campaign. We named them after, sales tracker string that we found in their network data. And then there's the what we're calling the Moyu Group, and they are, they bundled a, you know, a whole bunch of these apps through the unofficial marketplace, and they sell a a residential proxy service called IP Moyu. So we call them the Moyu group. And then there is the the Lemon Group, which is a group that was found initially by our friends and our colleagues at Trend, Trend. And they, they're a Chinese based threat actor group that were involved in Badbox. And they're selling residential proxy service, and they're heavily connected in Badbox two to the ad fraud scheme that was based on a series of HTML five, game website, sort of cash out places. And then, you know, lastly, we saw, the same infrastructure being used by, a Malaysian, group called Long TV, and they were, you know, part of, you know, they have branded devices and, you know, we don't know how, obviously, you know, how detailed their knowledge is of of the misuse if their services being misused or if they're they're part of it, but they're actually a legitimate provider of connected TV services in Malaysia.

Speaker 2: You made reference to the, the residential proxy network, which I think is I'm not sure if that's new from Badbox one to Badbox two, but I found that concept particularly unsettling. This idea that, you know, your, you know, your home Internet connection is for, in a sense, for sale to criminal networks. For anyone that doesn't know, like, what is a residential proxy network, and why is that valuable compared to, say, older botnets that you would have maybe seen?

Speaker 1: Yeah. So let's start with what is residential proxies because either, you know, actually a bane bane to my existence. But what it is is there's folks that have managed to, take over the networks of, you know, of people, resident you know, people like you and you and I, you know, the in their home network, and then have them open up for being able to proxy, you know, almost like a VPN, other networks in so they can use your network as an endpoint. So if they were going to say, you know, Netflix and watch a movie, they would be coming through, you know, your network and they would be, you know, showing themselves to Netflix as you. Right? So Netflix would think, oh, this isn't, you know, some, you know, miscreant. This is a user in The United States, and we should present him with United States, material. And in that kind of lies what, the bad guys are using this for. Because folks that are using this for things like, you know, account takeover, you know, they're using it, you know, for phishing. They're using it for, you know, any of the sort of cybercrime activities you can think. If it's coming from a network, if it's coming from a home, if it's coming from an IP address where, you know, 99 to a 100% of of all the traffic is normal. Right? All the traffic at my you know, hopefully, all the traffic in my network is normal. You know, people watching movies, buying stuff, going on the Internet, sending email. And then suddenly, it makes one or two transactions that are abnormal. Often that escapes detection from, you know, the systems in front of, these other systems that are used to protect them and to and to stop them. So in other words, if you came from, say, you know, if you were if you were coming from a cloud server like Alibaba in China, you probably get blocked or they would have very low trust. Whereas if you're coming from a residence in Ohio and everything is always done is he or she's always done has been sort of residential related traffic, there's a good chance you'll kind of escape the radar, so to speak. And so and and and having a really broad sped or having these residential proxy networks that have thousands and thousands, you know, hundreds of thousands of nodes allows them to persist, you know, and just do, like, a couple of transactions, say, off of my iPhone, and then a couple of transactions, you know, off of someone else's, you know, connected TV device, and then a couple of transactions off another device in a different, you know, state or, you know, country even. And it allows them to abuse these networks in a way that's highly effective in sort of gaining access to what they're hoping to gain access to. And so this has become a huge stepping stone for the criminals. And and, you know, of course, you know, who who made money in the gold rush. Right? It's people selling, you know, shovels. The same way selling residential proxy services to the bad guys that are doing, you know, initial access or ransomware or whatever has become a huge business. And this is one of the biggest ways and one of the biggest differences between bad box one and bad box two is how they, monetize through, proxy services. Now sorry. Residential proxy illegal residential proxy services. Now with bad box one, we saw modules for proxy service, but we didn't actually ever see them being implemented. So I think that was probably a next step that they were gonna do, and they just never got around or never had time to do it. With, you know, with Badbox two, they, you know, this was a huge part, even bigger than the, ad campaign stuff that they were doing. And as in the middle of when Badbox was fully operating, you know, we were watching on many, many nodes, that we had in in our labs to see what's going on. And it was, like, it was really scary because we had visibility into almost any threat or crime that you would see. Like, we would see these things talked about, you know, in the press, and we would go and look and say, oh, yeah. Here we go. We've actually got visibility into that because these threat actors are using this, and they're using the fact that there's so much misuse of these residential proxies. It's really even for the threat actors, they can hide amongst a bunch of other threat actors doing bad things, and it's really hard to trace that back to them.

Speaker 2: Yeah. We I remember in Bad Box one, it seemed like it was fundamentally a story about ad fraud. It's like, let's get this device on your network. It's gonna pipe a bunch of traffic towards a bunch of fake sites running real ads and, you know, sort of just juice money out of the giant ecosystem that is Internet advertising. Is that is that still part of Badbox two, or did they sort of move on to these new tricks?

Speaker 1: No. Absolutely. The programmatic ad fraud, you know, these were hidden ads, you know

Speaker 2: Mhmm.

Speaker 1: And they're rendered without anyone being able to see them. So they're going on on your phone or on your tablet, and you don't see them. It's not like it's an ad that shows up. You You don't even know it's there. It's you know, you may not even be using your your device at the time. So there was that. And then there was the hidden web views thing that we were talking about, which was in the h five game game site. So there are a bunch of these, you know, games. And what you do if you actually went as a a real user to one of these HTML game sites and tried to play the games, it's they're, like, unplayable. There's so many ads going through them all the time. There really is no there's no human players on this. What they're doing is just getting you know, they're selling this ad space and pretending like humans are using it, and they're being manipulated by, you know, bad box, two in order to, you know, generate hits. And then another thing that we saw that was kind of a step up from what we saw in in bad box one with ad fraud is is click fraud. And so, you know, if you have an ad and it shows up, right, while you're browsing the web, you know, you might get 10¢ or a dollar or whatever. You know, that's a low amount of money. But now if you click on that ad, suddenly, the dollar amount that you spend, you know, goes up exponentially so they can, you know, steal a lot more money. And so what they did is they had modules inside, that were not only, you know, going, you know, to to, you know, display these ads, but actually going and clicking on them as if they were a user interested in buying said service. So and thus putting the price up for the advertisers that are ending up, paying for that. So, yeah, it was it was it was a, you know, it was definitely a a part of it, but, you know, it was one that, you know, obviously, we're very well aware of and very well equipped to shut down. And I think they knew that there's a good chance that that wouldn't survive. And so they really spent a lot of time and put a lot of development into their proxy services, which were much, much harder to shut down.

Speaker 2: This is another aside that I will almost certainly need to cut out. But a few years ago, I was working on, like, a a multiplayer online game. And we got a little bit of transparency into some of the other titles that were part of a network that was part of a network that was part of a thing we were part of. And I remember looking at the amount of traffic that was flowing through this game that I'd never heard of, and it was astonishing. And then we were looking at it, and it the amount of, like, data basically that it was taking like, it was as though I was running a speed test anytime I was we had this game open in a browser. It was just an insane amount of traffic. And it was this weird thing where you're like, I don't quite know what shape of sketchy this is, but I can tell something is

Speaker 1: in writing. Not right.

Speaker 2: Yeah. Something's not right about this. And it's like, every so often I I hear one of these stories and it just takes me back to that moment. I'm like, I I think maybe I am starting to get what was going on there with that weird sketchy, like, browser game.

Speaker 1: And I'll I'll tell you with Badbox one, that was the initial sort of verification that we had. If you're a bad box one, there were three apps. I forget the names of the apps, but three apps in particular. And if, like, 98% of your traffic was coming from those three apps, you're a bad box. There was no, like, there was no other, you know it was really and so that's how we, like, initially found, you know, a lot of, you know, or did a a very quick test to see if a bad box was a bad without having to, you know, decompile anything or reverse engineer anything. We could just tell if those three boxes were saturating your network link or those three apps were saturating your network link and nothing else was even coming close. Then you were bad box.

Speaker 2: Starting something new isn't just hard. It can be downright terrifying. You put a lot of work into a thing. You're not entirely sure it's gonna work out. You're taking a huge leap of faith. I've started a few things. Now I know I was right for believing in, you know, the idea, the product, despite all of those fears and hesitations. But boy, does it sure help when you have a partner like Shopify on your side. Shopify is the commerce platform behind millions of businesses around the world and 10 of all e commerce in The US. From household names like, well, hacked podcasts merch to brands just getting started, you can get started with your own design studio with hundreds of ready to use templates. Shopify helps you build a beautiful online store that matches your brand style. Did I mention that that iconic purple shop pay button that's used by millions of businesses around the world? I don't know why I wouldn't. I should. It's why Shopify has the best converting checkout on the planet. It also helps boost conversions, meaning less carts, sort of getting abandoned in the parking lot and more sales for you. It's time to turn those what ifs into sign up for your $1 per month trial at shopify.com/hacked. Go to shopify.com/hacked. One more time, that's shopify.com/hacked.

Speaker 4: This Father's Day, do more with dad and spend less with low prices guaranteed at the Home Depot. Get him fired up with a new grill and accessories, like the next grill five burner for just $299 so you can spend more time together while he becomes the grill master he was always meant to be. Or build memories with savings on top brand power tools so you can tackle projects side by side. Give more and do more together this Father's Day with help from The Home Depot. Exclusions apply to homedepot.com/ price match for details.

Speaker 5: Whatever your thing, it could be anything. Canva helps you make that thing a thing. Canva is a simple online tool thing. It's a way to design with our magic AI tool things. You can social media your thing, generate images or videos of your thing, make decks or presentations to show your thing. Whatever needs to be done for your thing, Canva can make it an even better and bigger thing. Canva, the thing that makes anything a thing.

Speaker 3: Study and play. Come together on a Windows 11 PC.

Speaker 6: And for a limited time, college students get the best

Speaker 5: of both worlds.

Speaker 6: Get the Unreal College Seal, everything you need to study and play with select Windows 11 PCs. Eligible students get a year of Microsoft three sixty five premium and a year of Xbox Game Pass Ultimate with a custom color Xbox wireless controller. Learn more at windows.com/studentoffer. Law supplies last, ends June 30, terms at aka.ms/collegepc.

Speaker 2: Okay. So I wanna zoom in a little bit on the disruption. So you you you were part of this disruption that took up parts of this infrastructure, cut off some of this ad revenue that was coming into this scheme. Take me through that. How do you go about disrupting something like this? How do you even, like, measure success when you're fighting something that can respond so quickly? Help me understand that disruption.

Speaker 1: Well, you know, on the ad fraud side, it's you know, we have a lot of visibility into that. A lot of the ad, you know, a lot of the ad revenue, a lot of the ad companies, a lot of that traffic flows through human security. And so, it's very easy for us to to create cool little graphs. And if you look at the blog, you can you can find some. But, you know, what you know? And we're you know, this is our bread and butter. We look for, you know, ways that threat actors are disrupting, you know, the advertising economy, and then we come up with cool, you know, sort of, you know, cool ways, algorithmic ways that we can shut those down. So in other words, you know, we're not just shutting down, you know, one specific, you know, ad or or type of technique that we see. We, you know, work on something that even, you know, when the threat actors change things around a lot, we'll still be able to detect it and get that shut down. And so that's that's really easy for us to see. And then at the same time, working with our partners, like, you know, we did this ourselves, and and and Google did a lot. They they removed or blocked publisher accounts that were tied to Badbox two. And, you know, that that was a huge help. So the ad fraud side, you know, is, you know, went in it came and and went pretty quickly. That wasn't, you know, too hard to do. And, you know, and and Google's, you know, been really good about sort of emphasizing, you know, that non play, pray, protect devices do have weak, you know, defenses. And you should get, you know, one of these, play protected Android devices if you wanna put it on your network, if you buy these devices. So there's been, you know, a lot of kind of user education around that as well. And I think, you know, the FBI's alert sort of help with that as well. But we're, you know, the we're the harder stuff to do was, in the residential proxy area because, you know, they're not monetizing through advertising, you know, and we're not able to you know, if one threat actor wants to pay another threat actor, you know, there's there's no person in that line that can easily, you know, stop that from happening. So we had to take some different approaches for that.

Speaker 2: Google, I mean, you brought them up, has now filed a lawsuit naming I think it was Doe's isn't like John Doe's one through 25. 25 different, like, groups, people. Realistically, like, how does legal action and things like domain seizure slow down groups like this who might be operating overseas, you know, at the at the start of this supply chain?

Speaker 1: Yeah. So, you know, if you're looking at the proxy services, which were, you know, what was left to monetize through Badbox two, The only way of shutting them down was taking down some of the known command controls. So we would trace back, you know, we would join, you know, these residential proxy networks, and we'd find out where they were being commanded from. And so, you know, getting, the correct, legal, things in place so that we can sinkhole those command and controls is instrumental in being able to do this. You know, Google took a big big risk in doing that, and I commend them for doing it. And hopefully, it'll be a model that we see, you know, other groups, other companies taking responsibility for cleaning things up like they did. So a lot of kudos to them.

Speaker 2: You know, the thing that really interests me about this one is, like, it's a it's a tech story, and it's a fascinating story about, like, cheap gizmos, but it feels like it's fundamentally a story about, like, global supply chains. You you've got a device leaving a factory in one part of the world. It's already compromised by the time it gets shrink wrapped. You know, how much of this comes back to that start of the supply chain, which I think in this particular case happens to be in China? You know, how much of this really starts there, ends there? You know, what should we understand about that?

Speaker 1: Yeah. Well, there's there's you know, we we make no you know, there we're pretty open about, you know, the folks behind this. We have traced back, to Chinese business entities inside of China. You know, they're interested, and they continue to make good money off of doing things like this. So, you know, what's to stop them from continuing to do that? You know, what's, an area that we haven't really talked about that's as important? So it doesn't really matter per se that they were, you know, shrink wrapped, you know, at the factory or if they get, you know, impacted later, their end result is the same. But the the bit that we hadn't talked about is, like, why do people buy these devices anyway? And and I wanna just go into that a little bit. Like, we saw, I think it was, like, you know, 37% or something like that of these devices we saw in Brazil. Mhmm. And so we started you know, we we talked with law enforcement in Brazil, and we started looking into, you know, what are these devices, and why are they you know, are these just people, you know, or they're buying them because, you know, you'd think they're buying them because they're cheap and, you know, they you know, people don't have maybe as much money in Brazil, and so that's why they're popular. And to some degree, that's true. But as we started looking into it, we found that these devices were mostly being resold through people that were selling basically pirated streaming services on top of them. And so, you could buy a box from, you know, particular vendor and that box you'd plug in and it would give you, like, Sky TV and Netflix and HBO Max and, you know, all the sports channels and stuff. And you would pay a bit upfront for it, and it would, you know, last for a certain time. And, you know, there may have been, you know, monthly or yearly payments to update it if it stopped working. But in reality, the, you know, the the part of the supply chain that was being hacked here was the human supply chain. Right? And it's how do, you know, people, you know, potentially in, you know, countries with, you know, with, you know, lower pay rates, how do they get access to all of the streaming media that they wanna get access to? And so there, you know, there's a gap being filled there, you know, by criminals. And, you know, I don't think the criminals in Brazil really understood that these things were already already compromised before they added their overlay to it, nor did they would they really care all that much. Right? It's, you know, so they're, you know so there's, like, multiple multiple different levels of kind of weird bad things going on. And I think that's also allowed people to, you know, buy these and say, okay. Well, there may be some weird stuff on here, but it's worth it because I'm you know, I get to watch the Premier League all the time, and I don't have to pay for it. So there you know, there's like a hue there's a couple of supply chain links, not the least of which is why do people wanna buy these devices in the first place?

Speaker 2: Yeah. I'm struck by there's a this is there's a product for sale right now. It's a a television that has a small monitor under it that plays ads all the time. And it's this kind of bargain you make with the manufacturer of, like, do I wanna basically free television in exchange for having ads piped into my home? And in a weird way, it feels almost like you could imagine a a consumer base for these products that almost accepts the bargain. They're like, you know what? This thing is so cheap. I will accept that sometimes my network might get used in sort some sort of amorphous hard to understand cybercrime scheme off somewhere else. Or this projector is so unfathomably cheap. I'll never connect it to my Wi Fi. I'll never log into an Apple. I'll just HDMI something into it. Is there is there a a bargain here for some people, or is this thing just so toxically dangerous it's like bringing a landmine into your house?

Speaker 1: So, like, I can see that. Like, you think of, you know, the was it the Amazon Kindle? You can get one with ads. Right? Or without ads. It was cheaper with ads. Well, you made that bargain and said I'm okay or, you know, you can get whatever. Watch Prime Video when it comes with ads or not. But that's all it comes with. What I'm you know, with Badbox, you don't know what it's coming with. You could be front ending, you know, a pornography site that people go to your IP address at your house. Like, there's bad stuff that you prob like, I think if, you know, people understand, like, in your in your house, let's say your backyard, you don't wanna make it available for people to deal drugs and stab people. Right? They would people would draw the line there, but they haven't had that same experience with the crime that happens in in the cyber realm. And so they're prepared to turn a blind eye or just, you know, per perhaps, you know you know, wish or hope it's not happening or just not really understanding what the impact is. You know, for me, I, you know, live in this have lived in this world for the past couple of decades, and I can I can see this, you know, turning out really badly for people that even if they're, you know, unknowingly doing doing this? And I don't I don't wanna take the risk. And I I think until people realize that there's a risk involved in doing that, that this is gonna be ripe for exploitation. And I think the further you get away, from, you know, the more, you know, first world setups, the harder it's gonna be. You know, I I grew up, went to school in South Africa, and people don't care as much there about some cybercrime happening because there's real world crime happening. They think cybercrime is is is kind of a joke. It's it's not a big a big issue. And so until, you know, the human sort of, concept around some of these crimes changes, I think it's gonna be ripe for exploitation.

Speaker 2: Kevin, I've taken up, a lot of your time. You've been very generous with it. To wrap up, you know, I spoke with a member of your team about a year ago about Badbox one point o. I didn't know it was one point o at the time, but here we are. Now we're here talking about Badbox two point o. Do you expect a Badbox three point o? And if so, like, what does it take to stop that cycle before this explodes again?

Speaker 1: Yeah. So the only thing that would stop a Bad Box three point o is if this wasn't available to make money from. Mhmm. And I'm telling you now, it's still available to make money from. And so, yes, we're expecting, you know, new devices. We're expecting new techniques and and new consequences, and and new targets. And, and, we're, we're paying very close attention to that.

Speaker 2: Gavin, appreciate you taking the time. It

Speaker 1: was really fun. It was good. Good chatting with you.