The operations of a Top 10 ROKSO operation:
At its core, RCM is a marketing firm that does email and SMS campaigns. While some of their work is legit, other campaigns ran by the company are questionable to say the least.
When it comes to SMS operations, RCM actually got a client sued over an incident that started in 2011. According to the court, RCM sent unsolicited SMS messages out to an unknown number of phones, triggering complaints almost immediately. One of the people who complained was a lawyer, and he filed a lawsuit.
Recorded campaigns exposed by RCM's data breach include large brands such as Nike, LifeLock, Liberty Mutual, Fidelity, MetLife, Victoria's Secret, Kitchen Aide, Yankee Candle, Bath & Body Works, Gillette, Match.com, Dollar Shave Club, Dewalt, DirecTV, Covergirl, Clinique, Maybelline, Terminix, and AT&T.
RCM has also emailed offers for Trump Coins, oil change coupons, IRS forgiveness, addiction help, offers for new SUVs, ink and toner, veterans loans, blood sugar testing, surgical mesh settlements, metabolism enhancers, cold remedies, survival blankets, and tactical flashlights.
RCM's campaigns are sourced from a number of marketing firms. The largest marketing firm connected to RCM, based on documents exposed by the data breach, public filings, and domain registration records, appears to be Amobee.
Amobee is a display advertiser, meaning they place ads on websites in order to get people to click them. Amobee purchased Adconion Direct in 2014 as a way to boost their display advertising business. The service that enabled Adconion to outsource offers to affiliate companies is called AdDemand.
Setups like this are common, Spamhaus explained. Major brands will turn to advertisers, who then work with affiliates with good reputations. This is why the process of warming-up accounts and domains is critical to the operation.
The documents exposed by RCM's data breach list all of the campaigns the company has worked with AdDemand on, and shows them collecting a payment from Amobee on November 21, 2016 for $72,395.06 for completed work; followed by a payment of $33,979.80 on December 19, 2016.
Each day Amobee will send a complainer's report to RCM, containing the addresses that should stop receiving email, as well as a list of email hashes that should be scrubbed from lists. However, it isn't clear if the removal policy is strictly adhered to.
Most of the contracts start off as display advertising, meaning an ad on a website that someone has to click. It's a good bet that many of the major brands represented didn't know their marketing campaigns were being pushed to email. The trick that ties everything together is converting email to display advertising.
"Basically, some affiliate companies are selling display advertising clicks to their customers, but what is hidden from them, much of what's driving these clicks, is simply spam," Spamhaus' Anderson explained.
Several of the links used for a LifeLock campaign eventually landed on a registration page (archive copy) for the service, but the emails look like display ads. In 2015, Cloudmark reported on the LifeLock campaigns (archive link), including one that was similar to the offers RCM was sending earlier that year.
The LifeLock campaign was huge for RCM, generating thousands of dollars per-month in 2016 from AdDemand.
Another method of turning email into display advertising is to use fake search engines. Clicking a link inside an email will direct the recipient through a normal display advertising link and drop them onto a search results page, which displays ads as "search results" based on the topic of the email.
"Using the fake search engine trick is the most blatant way this is done. Yes, maybe the users are actually clicking on display ads presented within the fake search engine sites, but they are driven to those sites only through spam (nobody would just stumble across them accidentally). Even in this scheme, there are tracking codes embedded in every URL to ensure the correct spammers are getting paid for these so-called 'display advertising' clicks," Anderson added.
Other business ties for RCM, include Demand Media (Leaf Group LTD.), where RCM runs two BIND rotator servers, registered under Pheasant Valley Marketing and eBox Inc.
Between October 2016 and January 2017, RCM collected $937,451.21 USD for their campaigns from various affiliate networks, including AdDemand, W4, AD1 Media (Flex), and Union Square Media. RCM campaign logs show business relationships with some of these companies dating back to July of 2015.
Salted Hash reached out to Amobee comment. The company responded with a brief statement: "Amobee has ceased doing business with River City Media. We are committed to advertising standards that are in full compliance with all regulatory requirements."
This is not the end:
The River City Media data breach exposed so many records and other internals, there was just no way to fit everything into a single story. In the coming days and weeks, Salted Hash will continue following the money and business connections of the group and report on additional developments.