Remember when the global economic crisis was supposed to drive legions of desperate, unemployed computer programmers into cybercrime? It turns out the real threat comes from unemployed advertising agents.
Scammers posing as the well-known ad agency Spark-SMG tricked Gawker Media into running a fake Suzuki ad last week that served malicious code, according to a report in Silicon Alley Insider. A similar scam hit the New York Times in September. Unlike the newspaper, Gawker has released the e-mails it exchanged with the scammers, and the messages show just how confidently the perps navigated the ad-buy process.
“We are only interested in standard IAB banner sizes right now as that’s what we have sign off for,” wrote fake person George Delarosa, at one point in the negotiations. “Please whip up a proposal and let’s try and get a rush on getting something going as we are in need of some major imps by the end of the month as we are under-delivering on our monthly impression levels for September.”
I’d rather voluntarily install the malware then read that paragraph again. But it does show that the scamsters — who are probably behind the Times attack as well — know exactly what they’re doing. In addition to the authentic prose, the crooks backed their play with a working phone number in a Chicago area code, where the real Spark is based, and a copycat domain name.
“Whoever it is definitely worked in online ad sales at some point ,” an anonymous Gawker salesperson wrote the Insider.
With legitimate ad sales in a slump industrywide, malware-laced banners and, more commonly, just plain deceptive ads are enjoying way too much access to legitimate outlets these days, sometimes delivered through third-party ad networks, and sometimes through direct sales like in the Gawker and Times attacks.
The problem has grown so large that New York ad company Epic Advertising has hired a former FBI cybercrime agent to head a division that scrutinizes potential advertisers. The company is hoping to distinguish itself in the market with a commitment not to run malware, dubious testimonials and ads linking to fake news articles.
“All ads are previewed in advance with the sales team, then they have to go through Compliance to make sure they don’t say anything funky,” says Epic’s E.J. Hilbert, who worked against Eastern European cybercrooks while in the Bureau. “We are the watchdogs and the hound dogs. I think like a bad guy. I think like a guy who’s going to manipulate these situations, and help to devise a way to make sure that we don’t fall for it.”
For those without G-men on staff, a few minutes of sleuthing might prevent gaffes like Gawker’s. While Gawker’s salesperson says the company did all it could to scrutinize the fake Suzuki ad, a quick phone call to a known and trusted number for the real Spark would likely have put the kibosh on the attack before it began.
The ad ran for “less than 5 days last week,” said Gawker’s James Del, in an e-mail to Threat Level. “This was a very malicious piece of code that seemingly took advantage of unpatched Adobe software, though we don’t have details on how exactly that worked. It was not a ‘trick’ ad, wherein users were prompted to install something … It simply strong armed it’s way through a vulnerability and infected the computer.
“This isn’t a worm that goes unnoticed,’ Del added. “It would have crippled the user’s computer in a few moments, based on the reports we received. There would have been pop ups, freezing, and multiple file downloads taking place.”