Online ads have emerged over the past few years as the weakest link
-- the easiest way for criminals to harvest identities, spread
malware or even hijack computers into an organized "super cloud" to
commit crimes. Scammers will impersonate agencies and advertisers
to push orders through more quickly with less scrutiny and to mask
their identity under the guise of something more legit.
But placing the order with 24/7 Real Media using fake emails,
names and an almost-identical copy of the agency's website is also
probably what led to the scammer's undoing.
When 24/7 Real Media's Midwest sales VP followed up on the order
by calling the number on the website, it became clear the contact,
Joe Clark, didn't really exist at the agency, even though he had
negotiated via email for the buy.
Mr. Wyatt subsequently learned the imposters had attempted to
place ads using fake credentials on CareerBuilder, Traffic
Marketplace, Synacor and Sustainlane. He quickly changed the code
on his agency site to prevent it from being repurposed on a
But it's quite likely the scammers succeeded on other sites.
Since scammers generally pay their advertising bills -- sometimes
in advance -- these scams can go on for some time before they're
discovered. Scammers use a host of tricks that have evolved over
time to stay ahead of the technology, such as geo-targeting or
running the ads on weekends or only after many impressions to throw
off publishers, networks and their technology solutions.
At a time when a lot of attention is focused on online tracking,
the bigger risk to consumers is that publishers, advertisers and
tech firms aren't doing enough to protect them from real crimes
committed through advertising.
"People are so concerned about cookies and IP and people
tracking them, but what about someone busting in the back door and
stealing their stuff?" said Michael Caruso, CEO of online security
firm ClickFacts, which works with News Corp. and several other
portals and social networks he can't disclose due to
ClickFacts estimates that about 3% of all web pages with
advertising had some form of malware in the fourth quarter of 2010,
with a slightly higher percentage among the top 250 ComScore sites
that are more likely to work with multiple networks and vendors --
a scenario that can make it difficult to know where the malware
came from. Industry estimates put the number much lower, at a half
Those attacked -- agencies, publishers, networks and exchanges
-- tend to keep it quiet, though Mike Nolet, chief technology
officer of Appnexus, said it comes in waves as improvements in
scanning technology force scammers to adapt. "It's a constant
cat-and-mouse game," he said. "We see a new threat and it will come
across multiple networks for a month or two and then quiet
In a prior wave, scammers were directly calling on publishers,
such as Gawker and The New York Times, posing as agency execs and
making buys for ads that installed malware on their visitors'
computers. Now, the proliferation of middlemen gives them many more
opportunities to find the weak link in the chain, which is most
"What you're seeing is a new level of sophistication on the part
of the bad guys," said Bennie Smith, VP-platform policy at Yahoo's
Right Media. "They've found it's easier to trick a person than it
is to trick an algorithm."
The ability to look and sound legitimate is the killer app for
the scammers, who negotiate like pros and know how and when to
approach a publisher to get their ads up fast. They no longer have
to know any code: There are state-of-the-art developer kits
available for purchase, and the cost keeps coming down. It might
not work long, but it will work long enough to harvest enough
identities, say, to make it worthwhile.
"We're seeing a lot of malware coming through Flash
advertisements," Mr. Caruso said. "Malware writers are making it so
Flash and Quicktime automatically upgrade to another version so
they can get in. They prepare the users' computer for the
Since a malicious ad can activate at any time, it takes constant
observation to detect. Scammers can even switch out a benign fake
ad with one loaded with malware. By the time a scam is discovered,
the malware has generally done its job and the scammers have moved
on. The key is to catch the ad before insertion or at least before
it activates. "What's the nature of this creative? If it contains a
script or code you wouldn't expect, there's a reason," Mr. Smith
Mr. Wyatt will probably never know who hijacked his website and
why they picked his tiny agency. In 2002, he picked a name for his
agency with nice keywords and locked down the .net, .org and .com
variations, but he didn't think to register a hyphenated version.
The registrar for the domain is based in China. The reason for the
impersonation "might have been based on domain availability," he