Publicis Asks Federal Authorities To Investigate Fraudulent Online Insertion Order
- by Joe Mandese @mp_joemandese, October 28, 2009
Starcom MediaVest Group has contacted federal authorities who are conducting a criminal investigation of a fraudulent online media buy placed on behalf of client Suzuki by someone posing as an executive of SMG's Spark Communications unit. The buy, which placed a banner ad on Gawker.com that launched a malware attack to users of the site, is the latest in a string of online insertion orders being placed by malware purveyors on major publishers' sites, is believed to be the first to successfully mimic the identity of a major advertising agency. It also comes just weeks after SMG and other units of Publicis Groupe sent letters to online publishers warning them to be vigilant of such attacks, and to take extraordinary manual steps to confirm the orders directly with one of the agency's executives before placing them (Online Media Daily, Oct. 12th).
"The Gawker situation is currently under investigation. We will continue to work closely with our vendors to be diligent and absolute about insertion orders and ad placement," said a spokeswoman from VivaKi, the unit that oversees Publicis' digital and media buying operations.
Publicis executives said they do not know who the perpetrator is, even though the person or persons demonstrated sophisticated knowledge of the agency's media-buying process, and successfully navigated through several checks and balances undertaken by the Gawker sales team before they processed the order. The sophistication is evident in the email exchange below, which the Gawker sales team leaked to industry blogger Silicon Alley Insider to draw attention to the incident.
Among other things, the poser closely mimicked Spark Communications' email address, and exhibited behavior consistent with that of an actual online media buyer, going so far as attempting to negotiate the price of the buy with Gawker's sales team.
"This guy wanted to negotiate rates with us. Spammers don't negotiate rates," Gawker sales executive James Del told OMD, adding, "They were asking questions that only someone who worked in advertising would know. This was not some kid in the basement in Kiev trying to get their maleware out there."
Del said the buyer demonstrated other sophisticated behavior that led the Gawker sales team to believe it was a legitimate insertion order being placed on behalf of Suzuki by Spark Communications. For example, when Gawker was offered the ad from an ad server the sales team was not familiar with, the perpetrator responded by serving it via AdJuggler, a server the Gawker team routinely conducts business with.
"These guys were sophisticated enough to use a server that they knew we were familiar with to get their ads accepted. And they were also redirecting through DoubleClick," Del said.
That level of sophistication demonstrates how quickly the problem of fraudulent online insertion orders is evolving. When The New York Times' Web site accepted a bogus ad ostensibly placed directly by a maleware purveyor posing as broadband telecommunications provider Vonage, it changed the protocol of its ad operations team to only accept ads from servers listed as recognized providers to the paper's Web site.
Publicis executives claim that the Gawker sales team failed to take the extra step the agency requested when it sent letters to publishers earlier this month asking them to be vigilant against fake online insertion orders: to confirm suspicious orders verbally with someone they knew to be a Publicis agency executive with the authority to place the insertion order.
Publicis executives said they had no prior knowledge that such a buy would actually occur, but they said the recent acceleration of fake insertion orders such as those placed through ad network buys on major publishers ranging from the Times to Foxnews.com to the Huffington Post, gave them reason to believe that something could occur and to that it would be necessary to put publishers on notice. It's unclear whether any other major advertising agency groups have sent out similar notices to date, but none of the publishers contacted by OMD said they were aware of other agencies taking similar steps.
"We're not singling anyone out here," a Publicis executive said, "but if you're getting an insertion form somebody that you're not familiar with, or doesn't normally do business with you, you should take the extra step and contact the agency and speak to someone you know. In the short-term, this is going to create some manually checks and balances, but in the long-term it will help our industry."
Editor's note: The following is the email correspondence leaked to Silicon Alley Insider by Gawker's sales team:
> ---------- Forwarded message ----------> From: George Delarosa <george@spark-smg.com>
> Date: Wed, Sep 23, 2009 at 10:56 PM
> Subject: Agency Inquiry
> To: advertising@gawker.com
>
>
> Dear All,
>
>
>
> I am writing from Spark Communications - a full-service media agency
> with a client-centric approach. We are looking to place display
> advertisements for some of our premium clients.
>
> Spark is a part of - and backed by the power of Starcom MediaVest
> Group - one of the largest and most celebrated global brand
> communications and consumer contact organizations, with more than 110
> offices in 67 countries worldwide.
>
> I work with Automotive and Entertainment clients in Spark. First and
> foremost, we want to run a performance campaign for Suzuki across your
> network. Our budget to start is $25k+. Campaign should be live by the
> end of the month. We can also run on moviefone and/or entertainment
> verticals.
>
> Please let me know your rates, inventory and volume so we can include
> you in our upcoming media plans.
>
>
>
> Thank you,
>
>
>
> George Delarosa
>
> Spark Communications
>
>george@spark-smg.com
>
> 222 Merchandise Mart Plaza
>
> Suite 550
>
> Chicago, IL 60654
>
>www.spark-smg.com
>
> (312) 376-8131
>
> Skype - george.delaros
The full correspondence follows in reverse chronological order below, ending with this warning from Gawker. Note that this fellow knew how to talk the talk.
From: GAWKER SALES GUY
- Someone is approaching publishers as a representative of Spark-SMG on the Suzuki account, even though Suzuki very recently switched agencies.
- George Delarosa and his accomplice Douglas Velez claim that there's a limited amount of money left in the Suzuki account for them to spend, and they need to spend it quickly.
- They have intimate knowledge of online ad sales, including terms like eCPM, roadblocking, RON, IAB sizes, lead generation, traffic coordinators, etc.
- Email comes from @spark-smg.com instead of @sparksmg.com, though the who-is for their spoof domain is very close to the actual domain (Erin has links in her original email)
- They maintain a Chicago area code (where Spark is based) but claim to be in London, even though they couldn't give us the actual time in London when asked.
- Unlike most spammers, these guys were happy to jump on the phone to get ads back up and running.
- Clue that should have tipped us off was that we had to use our IO template...most major agencies like Spark have their own IO template.
From: GAWKER SALES GUY
Subject: Fwd: Agency Inquiry - Suzuki?
Look at how together this guy was! Corporate politics, eCPM, premium branding, IAB sizes, re-evaluating rates! Outrageous.
From: George Delarosa<george.delarosa@spark-smg.com>
Date: Tue, Sep 29, 2009 at 2:14 PM
Subject: RE: Agency Inquiry - Suzuki?
To:
GAWKER SALES GUY
Cc: douglas.velez@spark-smg.com
Sorry for the delay, James, but this had to go through the typical corporate politics. Attached is an executed IO. My traffic coordinator Douglas will be sending creatives. Feel free to call either of us if you have any questions with the campaign. thanks
From:GAWKER SALES GUY
Subject: Re: Agency Inquiry - Suzuki?
Just FYI, we'll need tags this afternoon if we want
to do the roadblock tomorrow. Let me know if we're good to go!
On Sun, Sep 27, 2009 at 10:41 PM, GAWKER SALES GUY wrote:
Hey man-
Tried sending this Saturday morning, but it just bounced back. Please let me know if you receive it!
----------
Forwarded message ----------
From: GAWKER SALES GUY
Date: Sat, Sep 26, 2009 at 11:17 AM
Subject: Re: Agency Inquiry - Suzuki?
To: george.delarosa@spark-smg.com
Hey George-
Sorry for the delay...I'm in the back woods of North Carolina
right now at my boss' wedding and internet connection has been difficult to come across. Attached is an insertion order...just go ahead and sign and fax/email back to me and have tags sent over as
soon as you can so we can get things running.
Thanks, and we can definitely discuss rates again next month.
-j
On Fri, Sep 25, 2009 at 12:46 PM, George Delarosa <george.delarosa@spark-smg.com> wrote:
Okay, I appreciate your flexibility. We will give it a shot. Thanks for the quick turnaround. Please send me your paperwork and I will get everything off to you today. We may need to re-evaluate the rates in October based on performance and client feedback, though.
From:GAWKER SALES GUY
Sent: Friday, September 25, 2009 12:43 PM
To:george.delarosa@spark-smg.com
Subject: Re: Agency Inquiry -
Suzuki?
Hey George-
We can't budge too much on the eCPM...these are some of our lowest rates available ($8 is the published rate for roadblocks and ROS, and $3 is the
published rate for RON). For your reference, you can check out http://advertising.gawker.com/rates
That said, happy to
try and make it work for ya. See attached and let me know if we can swing it. I'll be getting on a plane in 20 minutes, but will be landing around 6:30 PM EST and will be able to get this off to our
traffic team tonight or tomorrow morning if we get sign off.
-j
On Fri, Sep 25, 2009 at 11:35 AM, George Delarosa <george.delarosa@spark-smg.com> wrote:
Thank you [GAWKER SALES GUY]. I appreciate the added value, but would rather have it be blended into a lower overall eCPM as that is how we bill the client. The prices are already on the high end of what we are currently running for this campaign. Please repurpose and send back to me and then I will contact traffic about getting everything over to you (if approved). Thanks!
From: GAWKER SALES GUY
Sent: Friday, September 25,
2009 7:35 AM
Subject: Re: Agency Inquiry - Suzuki?
Hey-
Attached is a proposal based on the information I sent you...let me know what you think and we can tweak accordingly. I'll be traveling later today (flight at 4pm) but will have access to email up until that point, so we can definitely get things rolling as quickly as possible.
--
On Fri, Sep 25, 2009 at 9:59 AM, GAWKER SALES GUY wrote:
Ah, London would totally explain the late night email!
I'm working on a plan for you right now...if we get a signed IO this afternoon we can probably have tags up for you by tomorrow. How much do you want this month versus next? I'm thinking we can do some home page roadblocks on Jalopnik next week (maybe 2?) and then have the optimized RON stuff run for the remainder of the campaign (through October).
Or we can just cram the 25k into the next week, if that's what you're looking for. Just let me know and I'll get something back to you right away.
On Fri, Sep 25, 2009 at 4:52 AM, George Delarosa <george@spark-smg.com> wrote:
Thank you James. This all sounds good. The campaign is not as performance based, though, as it is about a) premium branding b) click through and c) lead generation. We are only interested in standard IAB banner sizes right now as that's what we have sign off for. Please whip up a proposal and let's try and get a rush on getting something going as we are in need of some major imps by the end of the month as we are under delivering on our monthly impression levels for September. Also, I am in London currently. Thank you.
From:GAWKER SALES GUY
Sent: Thursday, September 24, 2009 10:32 AM
To:george@spark-smg.com
Cc: Michael Cascio
Subject: Re: Agency Inquiry
- Suzuki?
Hello George!
Great to hear from you! I'm actually quite familiar with Spark...I just met with Deborah, Shaun and Jeff about a week ago regarding Delta. We'll definitely need to meet up next time I'm in town!
We can definitely set up a 25k performance campaign for you, and we have a few ways of going about that. In case you're not familiar, Gawker Media is a collection of 8 blogs, each covering a distinct beat. Our rates work in such a way that the more sites you buy, the lower the rate is. Considering you're fine with running against entertainment verticals, the sites I'd probably suggest for Suzuki would be:
-Jalopnik (our automotive site)
-Gizmodo (technology)
-Deadspin (sports)
-Gawker (Entertainment)
-Lifehacker (Productivity)
We also have Jezebel (women's entertainment) and io9 (science fiction), so you can feel free to add these titles (or exclude some of the titles above). Since your campaign is performance based, we can utilize our ad server's ADAPT functionality, which specifically targets users most likely to click on your banner. The more sites we run on, the better it works.
Our run of network rate for a $25k buy is around the $3-4 range for standard sizes, and you can see a full copy of our public rate card here.
At a 25k spend level, we can also offer you some pretty sweet custom executions as well, such as our custom panorama size (replaces the standard sized 728x90 unit with a much larger/better performing 800x250). You can see examples of the panorama here.
We can also execute a sponsored post for you at the 25k level as added value, which is an amazing way to integrate your messaging into our editorial flow. As the name suggests, it is a post that moves down the page just like a standard story on one of our sites, but instead of being written by one of our editors it is written specially by our advertising copywriter with direction from your creative team. The post can have video, pictures, and links, and it's one of our strongest offerings in terms of conversions. If you go to Gawker.com around 2pm, you should be able to see a sponsored post for the TV show "Bored to Death" within the editorial flow.
So please let me know what you think and I can whip a proposal up for you. Given your spend level and the sites I suggested, we can probably get you around a 5%-10% share of voice, but we can tweak that in either direction to accomplish what it is you're looking to do.
Thanks again for reaching out!
--
GAWKER SALES GUY
>
> ---------- Forwarded message ----------
> From: George Delarosa <george@spark-smg.com>
> Date: Wed, Sep 23, 2009 at 10:56 PM
> Subject: Agency Inquiry
> To: advertising@gawker.com
>
>
> Dear All,
>
>
>
> I am writing from Spark Communications - a full-service media agency
> with a client-centric approach. We are looking to place display
> advertisements for some of our premium clients.
>
> Spark is a part of - and backed by the power of Starcom MediaVest
> Group - one of the largest and most celebrated global brand
> communications and consumer contact organizations, with more than 110
> offices in 67 countries worldwide.
>
> I work with Automotive and Entertainment clients in Spark. First and
> foremost, we want to run a performance campaign for Suzuki across your
> network. Our budget to start is $25k+. Campaign should be live by the
> end of the month. We can also run on moviefone and/or entertainment
> verticals.
>
> Please let me know your rates, inventory and volume so we can include
> you in our upcoming media plans.
>
>
>
> Thank you,
>
>
>
> George Delarosa
>
> Spark Communications
>
>george@spark-smg.com
>
> 222 Merchandise Mart Plaza
>
> Suite 550
>
> Chicago, IL 60654
>
>www.spark-smg.com
>
> (312) 376-8131
>
> Skype - george.delarosa
It's unlikely anyone needs to look any further than SparkSMG's recent fires/layoffs/quitters. This degree of premeditation doesn't happen without accompanying motive and occam's razor says it's someone who used to be exactly what the malware (not maleware, incidentally, thats a whole other thing) spoofer claims he is.
Of course I read a lot of true crime books, so maybe it's not that simple - but it probably is.
This is a beacon, an indication of the bigger problem that is emerging in the ad world. These Malware insertions are becoming more and more sophisticated and will continue to appear more often as the bad guys find then as easy ways to make massive profits.
The fact that they came in through the front door only shows the level of deceit and audacity these guys have. As they are really just taking advantage of lapses in policies and security holes in these networks and sites ad trafficking policies and practices. After all is it easier to rob a bank by walking into the lobby or breaking in through the wall?
The real problem is that they are hitting the networks through the exchanges and swapping out good ads for bad in the middle of the night. Regardless of the amount of checks and balances they'll find a way. The only solution is automated scanning of all tags and creatives.
Suzuki, and Publicis by proxy, should thank their lucky stars that CTRs are now less than .1%. Imagine if folks actually clicked on the banners!
The bad guys are only half the problem (maybe less). The real fraud is the one being perpetrated by those who blindly worship at the altar of scale, where everthing is countable and unaccountable at the same time.
Once again, the intermediaries are wrecking the joint. And try to pass the buck as they may, it has to stop somewhere.