The website claims it has paid out more than $40 million to publishers and has thousands of templates and landing pages. Within CPABuild, there are various tiers of users. The website’s affiliate structure is displayed in an image on its homepage. Members can be categorized as managers, devils, demons, wizards, masters, and knights. In one video uploaded by a CPABuild member on August 11, an admin account can be seen sharing a message with users that indicates the company has taken steps to prevent the platform from being used for fraud. “We are still getting reports that CPABuild publishers are promoting offers in ways that violate our terms of service,” a message seen on the screen reads. Edwards’ research shows, however, that whatever efforts CPABuild has taken have failed to prevent its users from engaging in rampant fraud.
“CPA fraud, which includes cost per app install, is very common,” says Augustine Fou, an independent cybersecurity and ad fraud investigator, who reviewed a summary of Edwards’ findings. “Specialists like the ones identified in the research carve out a niche where they become the category leader in a particular kind of fraud,” Fou says. “Customers come to them for that speciality.”
Scores of websites are currently impacted by the PDFs. This week, the New York State Department of Financial Services removed PDFs uploaded after being contacted by WIRED. Ciara Marangas, a spokesperson for the department, says the issue was first identified in 2022, and following a review and additional steps, the files were removed.
In 2022, Edwards says, he alerted the US Cybersecurity Infrastructure Agency (CISA) to more than 50 compromised websites, which included the Oak Ridge National Laboratory and the Lawrence Berkeley National Laboratory. A spokesperson for Oak Ridge said it “immediately” responded to CISA’s alert, “deleted the suspicious content, and resolved the issue.” No data belonging to the laboratory was impacted, they say. Meanwhile, a spokesperson for Lawrence Berkeley National Laboratory said it cannot comment on the individual case but “no vulnerability has resulted in the compromise of systems for visitors” to its website. CISA’s .gov registry manager, Cameron Dixon, says when it is made aware of vulnerabilities in government websites, it notifies them and offers assistance. “In any given day, you could have a list this big of new victims,” Edwards says. (In 2020, Italy’s Computer Security Incident Response Team, CIRST, issued an alert about compromised domains Edwards had found.)
While there has been some reporting linked to potential CPABuild affiliates, Edwards says the scheme can fly under the radar, as the links in the process are passed through redirecting services, which mask their identity. Also, he says, the compromises can get overlooked as they are not as impactful as ransomware or other cyberattacks.
However, there are traces of activity linked to CPABuild members and affiliates spread across the web. Various users of CPABuild have uploaded videos to YouTube exposing how parts of the site work. One video shows someone using a “Fortnite skins generator” and a locker page that is created through CPABuild’s tools. Within another video, the kinds of offers hosted by CPABuild can be seen, including getting people to submit their email and postal code details, submitting their credit card details, installing mobile apps, and completing “general surveys.”