By: Douglas DePeppe, Esq., Co-Founder – Sports-ISAO
Sports-ISAO has been engaged in cyber attacker hunting (and social media abuser hunting) for many years. Over this time, a change in attack type has been observed. The scaling of cybercrime has led to increased sophistication concerning ‘the business of cybercrime’, and the recognition among cyber attackers that one-to-many models are more lucrative than one-to-one models.
Accordingly, Sports-ISAO has increasingly detected the mass deployment of infrastructure to target the massively rich online advertising spend of Big Business, as well as the targeting of Big Brand Athletes and sport enterprises.
That is, criminals are engaged in the practice of misdirecting legitimate ad-spend to their own criminal coffers. This writing addresses legal strategies to counter this criminal enterprise, and will leave things to Sports-ISAO analysts to reveal the technical details of this criminal enterprise.
Changed Attack Modalities
One way that cybercriminals are siphoning legitimate ad-spend is through knockoff sites that resemble legitimate and established companies and athletes. In some instances, cybersquatting registrations are pursued for look-alike domains (aka homonym attacks). In the English Premier League, Sports-ISAO detected multiple knockoff sites involving top players and clubs. During Tokyo 2020, given the additional year to plan their criminal schemes, Sports-ISAO detected massive networks engaged in fraudulent practices. Many instances of knockoff domains and hijacking online trends were detected whereby cybercriminals exploit worldwide broadcast and advertising rights to misappropriate viewership onto their own sites. Botnets are also deployed to artificially misrepresent viewership and click rates to drive traffic toward their fraudulent enterprises.
Combating Cyberattack Practices under Property Law
I recently wrote an article, We Lawyers Were Mistaken: Online Privacy is a Property Matter, in which I proposed that the enforcement of data rights should be pursued under a property law construct. The ad-fraud attack trend affords an illustration, principally because knockoffs are an intellectual property issue for redress. Both copyright and trademark infringement actions could be pursued by rights holders, depending on the facts. Indeed, in the US, there is the Anti cybersquatting Consumer Protection Act (ACPA), 15 U.S.C. § 1125(d), which enables a cause of action for registering, trafficking in, or using a domain name confusingly similar to, or dilutive of, a trademark or personal name. In other situations, the attackers’ sites intentionally resemble legitimate sites, or include copyright materials on the site. Another attraction of using intellectual property law is the opportunity, where applicable, of invoking statutory damages. This would streamline the enforcement and reduce investigation costs.
Granted, it is the nature of these attacks that trigger the use of intellectual property statutes for redress, rather than this use case being a revealing illustration of the bold vantage point taken in the Medium article. Still, data-as-property considerations will likely allow for further creative pursuits of data ownership enforcement actions. For example, the ad-fraud ecosystem is engaged in the misappropriation of assets or aspects of brand in ways that are intentionally deceptive and confusing to consumers. Knockoffs under trademark law or infringements under copyright law are just a starting point for other property-based redress options.