This results-based process is known as a cost per action (CPA) by advertisers and marketers. They often do so via spamming links to YouTube comments or creating the kind of pop-up “locker” pages towards the end of the poison PDF click chain. Then users of CPABuild, often known as affiliates, try to get people to complete these offers. Googling for a file linked to the PDFs brings up pages of results of compromised websites.ĬPABuild’s website, which lists its legal registry in Nevada, describes itself as a “content-locking network first and foremost.” The company, which has existed since 2016, hosts tasks from its customers, such as giving people the chance to win money by submitting their email and postal code details. “They're pushing advertising campaigns into someone else’s infrastructure,” he says. All the compromised websites that have PDFs uploaded are calling to command-and-control servers owned by CPABuild, Edwards says. But these stand out, as they all have links back to the advertising firm CPABuild and the members that work for its network, Edwards says. These kinds of scams have been around for a while, ad fraud researchers say.