Increasingly, digital ad viewers aren’t human. A study done last year in conjunction with the Association of National Advertisers embedded billions of digital ads with code designed to determine who or what was seeing them. Eleven percent of display ads and almost a quarter of video ads were “viewed” by software, not people. According to the ANA study, which was conducted by the security firm White Ops and is titled The Bot Baseline: Fraud In Digital Advertising, fake traffic will cost advertisers $6.3 billion this year. ... Fake traffic has become a commodity. There’s malware for generating it and brokers who sell it. Some companies pay for it intentionally, some accidentally, and some prefer not to ask where their traffic comes from. It’s given rise to an industry of countermeasures, which inspire counter-countermeasures. ... All a budding media mogul—whether a website operator or a traffic supplier—has to do to make money is arbitrage: Buy low, sell high. The art is making the fake traffic look real, often by sprucing up websites with just enough content to make them appear authentic. Programmatic ad-buying systems don’t necessarily differentiate between real users and bots, or between websites with fresh, original work, and Potemkin sites camouflaged with stock photos and cut-and-paste articles.
The Office of Personnel Management repels 10 million attempted digital intrusions per month—mostly the kinds of port scans and phishing attacks that plague every large-scale Internet presence—so it wasn’t too abnormal to discover that something had gotten lucky and slipped through the agency’s defenses. In March 2014, for example, OPM had detected a breach in which blueprints for its network’s architecture were siphoned away. But in this case, the engineers noticed two unusually frightening details. First, opmsecurity.org had been registered on April 25, 2014, which meant the malware had probably been on OPM’s network for almost a year. Even worse, the domain’s owner was listed as “Steve Rogers”—the scrawny patriot who, according to Marvel Comics lore, used a vial of Super-Soldier Serum to transform himself into Captain America, a member of the Avengers. ... Registering sites in Avengers-themed names is a trademark of a shadowy hacker group believed to have orchestrated some of the most devastating attacks in recent memory. Among them was the infiltration of health insurer Anthem, which resulted in the theft of personal data belonging to nearly 80 million Americans. And though diplomatic sensitivities make US officials reluctant to point fingers, a wealth of evidence ranging from IP addresses to telltale email accounts indicates that these hackers are tied to China, whose military allegedly has a 100,000-strong cyberespionage division. ... To figure out why the hackers had trained their sights on OPM, investigators would have to determine what, if anything, had been stolen from the agency’s network over the preceding year. But first they had to hunt down and eliminate the malware on its network, an archaic monstrosity that consisted of as many as 15,000 individual machines.
On average, an American office worker sends and receives roughly 120 emails per day, a number that grows with each passing year. The ubiquity and utility of email has turned it into a fine-grained record of our day-to-day lives, rich with mundane and potentially embarrassing details, stored in a perpetual archive, accessible from anywhere on earth and protected, in some cases, by nothing more than a single password. In the case of Violeta Lagunes, her email login represented a point of vulnerability, a seam where the digital walls protecting her campaign were at the mercy of her human judgment — specifically, whether she could determine if a message from an apparently reputable source was real or fake. ... Not only will a working email password yield years of intraoffice chatter, invoices, credit-card bills and confidential memos; it can often be leveraged into control of other personal accounts — Twitter, Facebook, Amazon — and even access to company servers and internet domains.
America’s War with Russia’s greatest cybercriminal began in the spring of 2009, when special agent James Craig, a rookie in the FBI’s Omaha, Nebraska, field office, began looking into a strange pair of electronic thefts. ... The leading victim in the case was a subsidiary of the payments-processing giant First Data, which lost $450,000 that May. That was quickly followed by a $100,000 theft from a client of the First National Bank of Omaha. What was odd, Craig noticed, was that the thefts seemed to have been executed from the victims’ own IP addresses, using their own logins and passwords. Examining their computers, he saw that they were infected with the same malware: something called the Zeus Trojan horse. ... The ruse is known as a “man in the browser” attack. While you sit at your computer logging into seemingly secure websites, the malware modifies pages before they load, siphoning away your credentials and your account balance. Only when you log in from a different computer do you even realize the money is gone.