NEW YORK (AdAge.com) -- Ads have long been a gateway for spammers and hackers to distribute malicious code, but now the crooks are showing a new level of sophistication by posing as agency executives walking right into the front doors of well-known publishers.
The scam goes something like this: Someone posing as an agency executive or marketer approaches a publisher with a credible e-mail domain like vonage-inc.com or hyundai-inc.com and asks for a quick turnaround campaign, often over a weekend. The ads then install malware or harvest user identities and continue to do so until the publisher figures it out. Often they don't and the "advertiser" -- sometimes part of a European organized-crime syndicate -- will even pay for the campaign and run another.
"They're bold, and they have budget," said Michael Caruso, CEO of ClickFacts, an online-security firm that works with News Corp. "These guys know internet advertising, and may have worked in the industry, or at least they know enough to convince a salesperson they know the business."
What do the scammers want? Eyeballs, and installs, for the most part. Some are paid by the number of malware installs they can get; others by the number of identities harvested or number of computers than can be used remotely as part of a bot network. In all cases, the bigger and more trusted the site, the easier to make money. "It's purely financially motivated," said John Harrison, manger at security firm Symantec.
Gawker Media was one of the latest to fall victim, and ran a campaign last week that installed malware on visitors to Gawker sites for several days until the ads were discovered. The scammers were clever enough to credibly pose as employees of Spark SMG, a unit of Publicis Groupe, and had a detailed knowledge of Spark clients and repertoire of industry lingo convincing enough industry insiders to create a fake campaign for Suzuki across Gawker sites.
As is typical, they created a legitimate-looking e-mail address, @spark-SMG.com (real Spark employees are @sparksmg.com), and called from a Chicago area code. Their ads only infected computers in intervals, so routine tests on the ads wouldn't discover the malicious code.
Target: ad networks
The attack reflects a growing sophistication among hackers that try to use advertising as a vehicle to distribute malware. "They have been focused on ad networks for a while and they've tightened down their systems," said Rajeev Goel, CEO of PubMatic. "Publishers haven't faced this directly until recently, so they are facing a learning curve."
The latest workaround is to actually attempt to sell a "campaign" to a site's direct sales force, and then either serve a fake ad through their own ad server or infiltrate a well-known ad server, such as DoubleClick. In October, The New York Times was the victim of an attack and initially suspected an ad network was responsible. It turned out the ad was sold directly to Vonage, but came from a third-party ad server the Times had never used before.
"While there are technical steps that we have taken that will reduce the likelihood of this happening in the future, technology alone will not address the issue," said Denise Warren, senior VP-chief advertising officer, The New York Times Media Group, in a statement. "We have added steps in our sales and ad operations process to ensure the integrity of every ad that runs on NYTimes.com. As you can understand, it would be counterproductive for us to disclose those steps."
Publishers and agencies usually aren't eager to publicize they've been hit, but just about every big agency has been spoofed, and many publishers have already fallen for the scam. Earlier in the year, Interpublic Group of Cos.* buying shop Initiative got word that scammers were posing as agency employees and attempting to place campaigns for Hyundai, one of the shop's biggest clients. They sent RFPs -- requests for proposals -- to several publishers and were able to run a short campaign. Initiative sent out a memo to publishers warning them not to accept any RFP from the @Hyundai-inc.com e-mail domain.
Gawker hasn't used third-party ad networks for several years, which is why the con men had to come in through the front door. They were first approached in late September by a duo, George Delarosa and Douglas Velez, claiming to represent Suzuki for Spark SMG and saying they had a $25,000 budget they had to spend quickly. Suzuki is still a client of Spark's, a spokesman said, declining to comment on the flap further.
Gawker sales associate James Del responded via e-mail: "I'm actually quite familiar with Spark ... I just met with Deborah, Shaun and Jeff about a week ago regarding Delta," and proceeded to offer Jalopnik, Gizmodo, Deadspin, Gawker and Lifehacker quoted rates and offered to do a sponsored post.
"Please whip up a proposal and let's try and get something going as we are in need of some major imps by the end of the month as we are under-delivering on our monthly impression levels for September," Mr. Delarosa responded via e-mail, and proceeded to negotiate, asking to have the campaign "blended into a lower overall eCPM" to bill the client.
While it seemed odd to Mr. Del that he'd never heard of these individuals, they cleverly deflected suspicion by getting on the phone several times and by buying a roadblock on Jalopnik -- at a higher CPM -- in addition to run-of-network across Gawker sites. "This guy was so good he'd probably be better off as a media buyer; he'd make more money," Mr. Del said.
A Spark SMG spokesperson said the agency sent a warning to 50 vendors after The New York Times was hit, but not to Gawker "because we rarely do business with Gawker."
But the brazenness of the scam was, at times, breathtaking. Because the malware was subtle, and didn't attack all visitors, it took some time before the comments started to roll in and Gawker caught wind of it. The ads came down on a Friday. On Monday, "Mr. Delarosa" called to ask why they weren't running. Mr. Del confronted him, but stuck to his story and said if Gawker wouldn't run his ads, he'd take them elsewhere.
Mr. Caruso said the scammers would have very likely paid for the campaign. Depending on the goal of the scam, it can be a very good business. Identities can be resold to organized crime; scare ads can harvest sales of phony anti-virus software. In the end, the goal is not to get caught, because when they do, Mr. Caruso said, "they have to change their name, change their LLC and come up with a new scam."
How not to fall prey to a scam
~ ~ ~
CORRECTION: An earlier version of this said identified Initiative as a Publicis Groupe shop, rather than as an Interpublic Group of Cos. agency.