Investigation into the installation of malicious computer programs through online ads
Ottawa, 11 July 2018
File Number: 9094-2015-00417
Summary of investigation
Violations pursuant to An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, SC 2010, c 23 (the Act or CASL).
Pursuant to section 22 of the Act, notices of violation have been issued to Datablocks, Inc. (Datablocks) and Sunlight Media Network Inc. (Sunlight Media) alleging that each has committed a violation of Section 9 of the Act. Through their actions and omissions, Datablocks and Sunlight Media aided in the commission of acts contrary to section 8 of the Act.
Section 8 of the Act prohibits the installation of a computer program on any other person’s computer system without the express consent of the owner or an authorized user of the computer system. Section 9 of the Act prohibits aiding in the commission of the aforementioned violation.
As a result of publicly available reports that Datablocks and Sunlight Media were allegedly involved in the dissemination of malicious computer programsFootnote1, Commission staff initiated an investigation in order to assess their business activities for compliance with the Act. These business activities consist of the distribution of online advertisements.
Many online ads are delivered through a fully automated Real Time Bidding (RTB) process through which ads are customized for website visitors. Advertisers who want to compete in this auction process typically enter into an agreement with an intermediary, known as an ad network, for the management of their ad campaigns and their bids in the RTB process. Datablocks owns and controls software and network routing infrastructure, which facilitates and enables the RTB process.
Sunlight Media operates an ad network and serves as a broker between advertisers and publishers (or their respective representatives) using Datablocks’ RTB system. Datablocks’ and Sunlight Media’s business activities are vertically integrated; the two companies are closely connected, for example, through ownership, directors/officers, and physical location. Sunlight Media is a top user of Datablocks’ service and pays significantly discounted rates for using this service.
Sunlight Media has a wide variety of customers, including malicious actors who are allegedly in violation of section 8 of the Act. The use of online advertising is one of the main vectors to deliver malware: malicious actors leverage the RTB process, contracting with ad networks in order to serve ads that are “booby-trapped” with malicious computer programs. In these cases, the ad network redirects a user’s web browser to its client’s landing pageFootnote2 from which an exploit program is installed. The exploit program abuses vulnerabilities of the user’s computer system. Once installed, the exploit program permits the installation of second stage malware in order to conduct malicious activities.
This practice is generally referred to as “malvertising” and is well known to the online ad industry and cybersecurity researchersFootnote3. The online ad industry and the RTB process are attractive to malicious actors because ads do not depend on consent or any other affirmative action to be loaded on a user’s computer. Simply viewing an ad may lead to the installation of an exploit program.
In the present case, Commission staff found evidence that ads distributed through Sunlight Media and Datablocks’ services, using their proprietary infrastructure, resulted in the installation of malicious programs from a notorious exploit kit named Angler, which exploited a vulnerability in Adobe Flash. Each of these installations constitutes an act prohibited by section 8 of the Act. The Angler exploit kit is designed to further install second-stage malware, which can lock the user’s system unless a ransom is paid (ransomware), steal users’ sensitive data, such as account login information and banking credentials (banking Trojans), and/or use the victim’s computer resources for illicit monetization (clickfraud Trojans).
Both companies aided in the commission of these acts, thereby each committing a violation of section 9 of the Act. The aid provided by Sunlight Media and Datablocks consisted of facilitating these prohibited acts by their actions and their omissions:
- Sunlight Media and Datablocks provided the technical means to commit acts prohibited by section 8 of the Act; the prohibited acts would not have occurred without the services provided by Sunlight Media and software and infrastructure provided by Datablocks.
- In a context where ad networks, such as Sunlight Media, are very vulnerable to the distribution of malicious computer programs embedded in ads served through their services, Sunlight Media substantially increased the likelihood of section 8 violations by seeking out, and successfully attracting, a non-CASL compliant clientele. Essentially Sunlight Media:
- Actively promoted services that foster section 8 violations;
- Formed business relationships with clients publicly known for facilitating acts contrary to section 8 of the Act and other non-recommended practices; and
- Adopted a set of practices which permitted and encouraged a high degree of anonymity (accepting unverified aliases and suspicious signups, as well as using cryptocurrency payment methods).
- Datablocks maintained its business relationship with Sunlight Media, disregarding their non-compliant practices.
- Finally, neither company put safeguards in place to prevent the prohibited acts. Information obtained during a search showed that both Sunlight Media and Datablocks were alerted in 2015 by the Canadian Cyber-Incident Response Centre (CCIRC) that their services were used to disseminate malware.
- However, while both Sunlight Media and Datablocks were clearly in the best position to prevent the prohibited acts from occurring, they failed to implement any fundamental basic safeguards, which are well known to the industry. Among other things, at the time of these violations:
- Sunlight Media and Datablocks did not have written contracts in place with their clients which would bind them to comply with the Act;
- they had no monitoring measures in place governing how their clients use their service; and,
- they did not have any written corporate compliance policies or procedures in place to ensure compliance with the Act.
As a result of the above actions and omissions, Sunlight Media’s clients were able to repeatedly violate section 8 from February 8, 2016 to May 31, 2016.
Based on their respective remuneration modelsFootnote4 and evidence gathered, Commission staff believe that Sunlight Media and Datablocks financially benefitted from the commission of acts prohibited under section 8 of the Act.
The evidence gathered in the course of this investigation originates from multiple sources, including Notices to Produce pursuant to section 17 of the Act, and the execution of a search warrant.
Based on the information gathered in the investigation, the Chief Compliance and Enforcement Officer has issued Notices of Violation, including administrative monetary penalties of $100,000 to Datablocks and $150,000 to Sunlight Media.
A person who is served with a NOV has the opportunity to make representations before the Commission with respect to the amount of the penalty or the alleged violations pursuant to sections 24 and 25 of the Act, and may further bring an appeal in the Federal Court of Appeal from a decision rendered by the Commission pursuant to section 27 of the Act. As a result and at this time, the above-mentioned information constitute allegations made by persons designated by the Commission pursuant to section 14 of the Act.
A person who is served with a NOV has also the opportunity to enter into an Undertaking in connection to these acts and omissions pursuant to subsection 21(4) of the Act, under the conditions provided by subsection 21(2) of the Act.
Commission staff will make the best efforts to provide additional information on this investigation as soon as practicable.
- Date modified: