How One Small Shop Got Snared In Online Ad Scam
NEW YORK (AdAge.com) -- It's a small agency with a big-sounding name, which is probably why Dallas-based Agency Creative was targeted in a state-of-the-art scam: fraudsters impersonating an agency, likely to disseminate malicious code to consumers through advertising.
CEO Mark Wyatt figured out something was amiss when he received a call from 24/7 Real Media about a 20-million-impression buy his firm had attempted to place for another Dallas company and one of the web's bigger advertisers: Travelocity. One problem: Travelocity is not a client. Mr. Wyatt's agency handles accounts for a local Hilton, the Dallas Fort Worth YMCA and area health-care clients.
But the imposter purporting to work at Agency Creative looked incredibly legit, with emails, an identical website and a negotiating style that showed he knew what he was doing. His pitch: "If you can provide a $1.50 CPM rate, we will purchase 20M impressions. Let me know if you work with these CPM rates. Our primary goal is to expand advertising reach with new partners, thus we will need 1/24 frequency cap and optimization toward unique visitors. Campaign is targeted to U.S. IP addresses. No specific age or demo targeting. I look forward to working with you!"
Choosing Travelocity was another stroke of genius; a big advertiser looking for lots of cheap impressions is an order an ad network like 24/7 Real Media would be likely to fulfill quickly with the fewest questions.
"My first thought was a little bit of a panic because I thought we were going to be financially liable," Mr. Wyatt said. "We also contacted the FBI. Within an hour, four other media houses had contacted us."
The imposters set up their front on a plausible-sounding internet domain, agency-creative.net (as opposed to the legitimate site at agencycreative.com). That's an old trick: when scammers targeted Gawker and The New York Times a little more than a year ago, they used faux email suffixes such as @spark-SMG.com and @Hyundai-inc.com. But a year ago the scammers hadn't bothered to actually reproduce the agency's website on their faux domain; this time they had. "The individual purchased a domain name, agency-creative.net, hosted that domain and then through frames technology basically told it to grab our website and place it inside," Mr. Wyatt said. "They hijacked our website."
Online ads have emerged over the past few years as the weakest link -- the easiest way for criminals to harvest identities, spread malware or even hijack computers into an organized "super cloud" to commit crimes. Scammers will impersonate agencies and advertisers to push orders through more quickly with less scrutiny and to mask their identity under the guise of something more legit.
But placing the order with 24/7 Real Media using fake emails, names and an almost-identical copy of the agency's website is also probably what led to the scammer's undoing.
When 24/7 Real Media's Midwest sales VP followed up on the order by calling the number on the website, it became clear the contact, Joe Clark, didn't really exist at the agency, even though he had negotiated via email for the buy.
Mr. Wyatt subsequently learned the imposters had attempted to place ads using fake credentials on CareerBuilder, Traffic Marketplace, Synacor and Sustainlane. He quickly changed the code on his agency site to prevent it from being repurposed on a different URL.
But it's quite likely the scammers succeeded on other sites. Since scammers generally pay their advertising bills -- sometimes in advance -- these scams can go on for some time before they're discovered. Scammers use a host of tricks that have evolved over time to stay ahead of the technology, such as geo-targeting or running the ads on weekends or only after many impressions to throw off publishers, networks and their technology solutions.
At a time when a lot of attention is focused on online tracking, the bigger risk to consumers is that publishers, advertisers and tech firms aren't doing enough to protect them from real crimes committed through advertising.
"People are so concerned about cookies and IP and people tracking them, but what about someone busting in the back door and stealing their stuff?" said Michael Caruso, CEO of online security firm ClickFacts, which works with News Corp. and several other portals and social networks he can't disclose due to confidentiality agreements.
ClickFacts estimates that about 3% of all web pages with advertising had some form of malware in the fourth quarter of 2010, with a slightly higher percentage among the top 250 ComScore sites that are more likely to work with multiple networks and vendors -- a scenario that can make it difficult to know where the malware came from. Industry estimates put the number much lower, at a half percent.
Those attacked -- agencies, publishers, networks and exchanges -- tend to keep it quiet, though Mike Nolet, chief technology officer of Appnexus, said it comes in waves as improvements in scanning technology force scammers to adapt. "It's a constant cat-and-mouse game," he said. "We see a new threat and it will come across multiple networks for a month or two and then quiet down."
In a prior wave, scammers were directly calling on publishers, such as Gawker and The New York Times, posing as agency execs and making buys for ads that installed malware on their visitors' computers. Now, the proliferation of middlemen gives them many more opportunities to find the weak link in the chain, which is most often human.
"What you're seeing is a new level of sophistication on the part of the bad guys," said Bennie Smith, VP-platform policy at Yahoo's Right Media. "They've found it's easier to trick a person than it is to trick an algorithm."
The ability to look and sound legitimate is the killer app for the scammers, who negotiate like pros and know how and when to approach a publisher to get their ads up fast. They no longer have to know any code: There are state-of-the-art developer kits available for purchase, and the cost keeps coming down. It might not work long, but it will work long enough to harvest enough identities, say, to make it worthwhile.
"We're seeing a lot of malware coming through Flash advertisements," Mr. Caruso said. "Malware writers are making it so Flash and Quicktime automatically upgrade to another version so they can get in. They prepare the users' computer for the malware."
Since a malicious ad can activate at any time, it takes constant observation to detect. Scammers can even switch out a benign fake ad with one loaded with malware. By the time a scam is discovered, the malware has generally done its job and the scammers have moved on. The key is to catch the ad before insertion or at least before it activates. "What's the nature of this creative? If it contains a script or code you wouldn't expect, there's a reason," Mr. Smith said.
Mr. Wyatt will probably never know who hijacked his website and why they picked his tiny agency. In 2002, he picked a name for his agency with nice keywords and locked down the .net, .org and .com variations, but he didn't think to register a hyphenated version. The registrar for the domain is based in China. The reason for the impersonation "might have been based on domain availability," he mused.