The Criminal Underground: the Last Refuge of Banner Ads
In the 2000s, banner ads became popular notably through Google. The search engine has enabled marketers to reach a vast audience through a standard visual message that fit on any web page. Just like containers for shipping, banner ads were standardized to make it easier to share and post on multiple platforms.
While useful for marketers, it is surprising that banner ads were so popular for so long. Today’s click through rate on these ads is poor, with an average of 5 clicks per 10,000 impressions on Google’s network. Over the past two years, this rate has decreased by almost 45%.
This may explain why nowadays it is extremely rare to find a banner ad on the clear web. For anyone browsing through the criminal underground, it is clear however that malicious actors have not caught up to this, and are still massively using banner ads on their website for publicity. We set out to find out how banner ads work in the criminal underground, if they could be a valuable intelligence signal.
An expensive proposition for prime real estate
The adage goes that you need to spend money to make money. This is the case when looking at the price of banner ads on various criminal underground platforms. A small forum with a few thousand threads will sell their banner ads, at the top of the forum, for as little as $20 for a month. A few hundred, or perhaps a few thousand users are likely to see that ad.
More prestigious and popular forums charge quite a lot more for the same space. On the largest hacking forum on the clear web, a banner at the top of every forum page costs $600 per month though other placement (below the fold for example) can save you 60% of the price.
On the dark web, the price on popular forums can go as high as $1,000 per month. In some cases, the banner ad is inserted into a rotation, meaning that it is not displayed to all website visitors. This limits the visibility and reach of the banner ads.
A limited supply for banner ads
The space for banner ads is limited on most websites on the criminal underground. Their rotation is also low, as demonstrated by our compulsive reloading of 15 criminal underground websites to index all available banner ads.
We found that criminal underground sites displayed between 1 and 19 banner ads. The average site had 6 banner ads, either individually or in a single spot, but rotating with each page refresh. These banner ads represent an interesting revenue stream for website administrators. At an average price of $300, with 6 banner ads rotating per month, this means that an administrator can hope to make almost $22,000 per year through their banner ad program. Not a bad start.
Use cases for banner ads
Our investigation has found that the most expensive banner ads were often bought by large dark web marketplaces. These include White House Market and World Market.
We also found banner ads for well-known criminal underground platforms that we were already monitoring such as Genesis Market. This market specializes in the rental of bots, and its activities were analyzed in a report recently.
In the above cases, we clearly see that the production of the banner ads was more towards the higher end, with an effort to attract the attention of the visitor through animations, or the use of a popular crime fiction character.
Most of the banner ads that we found however were for unknown, small and independent vendors who were probably looking to make a name for themselves. In many cases, these vendors did not even have their own web portal, preferring to be contacted through private messages on the criminal underground or on Telegram and Jabber.
Using banner ads as intelligence sources
Because of their ubiquity in the criminal underground, banner ads are still a significant marketing channel for malicious actors. To create and publish banner ads, they must be willing to invest some of their resources. This suggests that the malicious actors behind those banner ads should be higher level offenders, and perhaps more worthy of attention.
Banner ads are therefore an easy tool to identify new, up and coming, as well as established criminal underground platforms and actors. These can be monitored to identify threats, tactics and methods, as well as to better understand the new types of trends.
Genesis Market for example showcases its ability to fingerprint its victims’ computers to take over accounts. This technique, not widely known until recently, is put up front in their banner ads.
A mistake we may all be doing is to not pay attention to these banner ads. We were trained to ignore banner ads for so long on the clear web that it makes some sense to not look at them on the criminal underground. This would however limit the value of the intelligence that we can gather from the criminal underground, and prevent us perhaps from identifying the next major criminal underground platform.