Malware begone!

Canadian Lawyer Online — IT Girl Column
 

On July 11, the Canadian Radio-television and Telecommunications Commission issued its first notices of violation to two Canadian companies that allegedly contravened the installation of computer program prohibitions under Canada's anti-spam legislation.

Datablocks, Inc. and Sunlight Media Network Inc.  were accused of aiding the installation of malicious computer programs through the distribution of online advertising in contravention of ss. 8 and 9 of CASL.

By way of reminder, s. 8 of CASL prohibits the installation of a computer program on any other person’s computer system without the express consent of the owner or an authorized user of the computer system, while s. 9 prohibits aiding in the commission of the violation. For their nefarious activities, the CRTC is demanding that Datablocks pay administrative monetary penalties in the amount of $100,000 and Sunlight Media pay administrative penalties in the amount of $150,000.

Datablocks owns and controls certain software and network routing infrastructure, which enables a fully automated real-time bidding process through which online ads are customized and delivered to website visitors. Advertisers who want to compete in this auction process generally enter into an agreement with ad networks for the management of their ad campaigns and their bids in the RTB process.

Sunlight Media operates an ad network and serves as a broker between advertisers and publishers (or their representatives) using Datablocks’ RTB system. The companies are closely connected through ownership, corporate structure and physical location and, not surprisingly, Sunlight Media is a top user of Datablocks’ services (and enjoys significantly discounted rates for doing so).

The CRTC alleges that Sunlight Media supported a wide variety of customers that engaged in “malvertising” — as in using ads to spread malware by leveraging the real-time bidding process and working with ad networks in order to serve “booby-trapped” ads.

The ad network redirects a user’s web browser to its client’s toxic landing page from which the exploit malware is installed. The exploit program targets vulnerable user computer systems and, once installed, permits the installation of second-stage malware in order to conduct malicious activities.

Scarily, simply viewing an ad may lead to the installation of an exploit program on a user’s computer — no additional action is required on the part of the user.

The CRTC claims that ads distributed through Sunlight Media and Datablocks’ services resulted in the installation of the infamous Angler exploit kit, which exploited vulnerabilities in Internet Explorer, Microsoft Silverlight, Adobe Flash Player, Adobe Acrobat Reader, Java, Internet Explorer and Flash software.

Angler, one of the top exploit kits during the 2014-2016 period (even identified by Trend Micro Incorporated as the “King of the Exploit Kit” in 2015), is designed to further install second-stage malware, including ransomware (which locks the user’s system unless a ransom is paid), banking trojans to steal users’ sensitive data, such as account login information and banking credentials, and click fraud trojans (where the malware imitates the action of a legitimate user clicking on web browser advertisements to generate revenue for that advertisement even though there is no interest in the advertisement itself). 

Following the arrest of the so-called Lurk group of hackers by Russian authorities in 2016, Angler has largely ceased to be the exploit kit of choice, but at its then-peak, Angler was allegedly behind approximately 40 per cent of all exploit kit infections, compromising nearly 100,000 websites and millions of users, generating some US$34 million annually for its authors.

The CRTC alleged that both companies facilitated these prohibited acts by a combination of their actions and omissions as follows:

 

  • Through the services provided by Sunlight Media and the software and infrastructure provided by Datablocks, the organizations provided the technical means to commit the acts prohibited by CASL;
  • Sunlight Media allegedly sought out and successfully attracted a non-CASL-compliant clientele by actively promoting services that foster s. 8 violations; doing business with bad actor clients publicly known for facilitating acts contrary to s. 8 of CASL and other non-recommended practices and engaging in practices that permitted and encouraged a high degree of anonymity (such as accepting unverified aliases and suspicious signups, as well as using crypto-currency payment methods);
  • Datablocks knowingly maintained its business relationship with Sunlight Media, disregarding its non-compliant practices;
  • Even though both Sunlight Media and Datablocks were alerted in 2015 by the Canadian Cyber Incident Response Centre that their services were used to disseminate malware, neither company did anything to prevent the prohibited acts; and
  • Both Sunlight Media and Datablocks failed to implement any critical legal safeguards at the time of the violations. For example, neither company had written contracts in place with their clients that would require them to comply with CASL, employed any monitoring measures in place governing how their clients use their service nor had any written corporate compliance policies or procedures in place to ensure compliance with CASL.

As a result of the above, Sunlight Media’s clients were able to repeatedly violate s. 8 of CASL from Feb. 8, 2016 to May 31, 2016. Based on evidence gathered through search warrants and otherwise, the CRTC found that Sunlight Media and Datablocks had financially benefited from activities prohibited under CASL.

The case against Sunlight Media and Datablocks is by no means a foregone conclusion.  Datablocks and Sunlight Media have 30 days to file written representations to the CRTC regarding the amount of the penalties levied or the alleged violations and may also bring an appeal in the Federal Court of Appeal from a decision rendered by the commission.

The companies may also enter into an undertaking in connection to these alleged acts and omissions, which would impose various compliance obligations and conditions and would likely include a requirement to pay some specified fine.

Regardless, it is heartening to see the CRTC finally begin to use these sections of CASL as a remedy against businesses that have such potential to harm Canadians online.

This article originally appeared as Lisa's IT Girl column in Canadian Lawyer Online