Anatomy Of An Attempted Malware Scam

The display media segment is the newest target of malvertising, the latest trend in online criminal methodology. The problem has escalated in recent months and despite many suppliers' best efforts, it continues to grow. The culprits behind many of these attacks are based in foreign states leaving little course to take action. While the best defense against malvertising is to prevent it from happening in the first place, this has proven to be a challenge for even the most astute publishers, networks and the like.

We were recently the targets of one such attempt, and while it certainly wasn't the first "fake agency" we've been besieged by (and that we've successfully stopped), it is one of the most organized efforts we've encountered so far. Below we've outlined the approach that was used and the findings of our investigation as an FYI to others who may be on the target list.

If there's anything we've learned since the practice of malvertising has surfaced (and has since proliferated), it's that you can't be too detailed with your client background checks and creative reviews. We've always been big on our screening procedures, and these days it's proving to be an increasingly valuable practice. Malvertising reflects negatively on the entire online media industry and the onus has to fall on us (suppliers) to put a stop to it. So, we want to share our learnings here for the greater community to hopefully benefit from.



Here is a breakdown of the approach used by the individuals behind our most recent malware experience, how we caught them, and the findings of our subsequent investigation. We've also highlighted some pink flags (and the ultimate red flag) that came up along the way, as well as our key takeaways from the experience including some of the steps we now have in place (and which you may want to consider implementing) to help us identify similar perpetrators sooner than later.

Initial contact, proposal and campaign review

The culprits approached us in early July representing themselves as an agency looking to place a campaign for both a big name charity and a travel client (we are omitting names to protect their brands from being associated with this scam. We have no reason to believe they were involved). Following our proposal phase, "Bellas," informed us that the big name charity was still "undergoing approval phase", but that their travel client had approved a test on our network and wanted to proceed.

(Pink flag: while not completely implausible, it is rare for an unknown agency to bring one or more large brands to the table, let alone doing so without first undergoing a formal RFI/RFP process.)

Despite the pink flag, we proceeded, and because we had never worked with this agency before, we began by processing their request for credit. Each of the references provided had professionally produced websites and unique phone numbers -- nothing at the surface level that would raise any suspicion. The bank reference was real (a real bank, that is) and the phone number provided worked. The information we requested was supplied to us in an official, expected manner. Nothing out of the ordinary here.

All three references we contacted provided prompt and friendly responses and each reported that they had been doing business with Bellas for anywhere between two years and six months at fairly respectable sums.

For added assurance, the "fake agency" supplied us with a PDF which was represented as an official document of incorporation.

With no glaring reason to deny, we approved their application for limited starter credit and proceeded to the next step, campaign setup.

Campaign Setup and QA

The campaign's goals were a little unusual for what we would typically consider to be a direct response advertiser:

We are really focused on reach and unique viewers optimizations. Thus tight frequency cap like 1/24 or 1/48 can work. CTR is secondary goal at this point. A lot of people don't know much about client services and we want to cover every single possible customer.

We logged their goals and rationale. We also noted them as a pink flag. The proprietors of these scams typically focus more on unique reach and frequency than on targeting, audience or optimization - a focus that, in general terms, is most unusual for the average online advertiser. Of course, in hindsight, their interest in unique reach stemmed from their desire to infect across the widest possible net.

On our initial request for creative, "Bellas" provided us with a set of third-party tags, which were rejected because they were not from one of our certified ad serving vendors.

We were then provided with raw creative files. While the creative were clean (i.e. no malicious code), there were some minor design flaws including missing borders and file sizes that exceed our standard maximums. We informed them of these issues and they responded:

We are currently run[ning] with AOL and Yahoo (including comscore 1-150 pubs) and they are cool.

Hum, really? AOL and Yahoo have some of the strictest ad specs around...(pink flag).

After some lengthy back and forth about the creative revisions...

We are not able to reduce creative size without sacrificing quality. If you cannot run creative size more than 20kb -- we can host. If not -- we wont be able to proceed with campaign.

"Bellas," at that point, requested that we run an impression tracking URL. The "OpenX" URL provided to us was flagged during our QA review, another pink flag; the formatting and characters were not consistent with the standard employed by OpenX. We informed Bellas that to use the URL we would need to perform a few modifications to make it consistent with the standard. We provided an example of the modified URL and then received the following responses:

I have contacted OpenX support to find out. Meanwhile I got another pixel for you. We have used it with our hosted campaigns and it worked wonders.

Client prefers Eyeblaster tracking URL (their ad server). Would be cool if you can implement. If not -- OpenX is perfectly fine.

Next, Bellas, informed us of the "response" they received from "OpenX support" and then supplied us with a new pixel to use.

"Hi Henry. Looks like Casale runs , which is NOSCRIPT part of the code, instead of JS pixel (script part), that affects reporting a bit and you cannot add any additional tracking code." Are you able to implement JS OpenX pixel or Eyeblaster pixel directly? Alternatively, we can provide tags.

After informing "Bellas" that we would forward the new pixel to our traffic team for evaluation, we received the following response...

Client have sent another pixel, from zedo.

Pink flag. So now we have a client who wanted to serve through OpenX, then Eyeblaster, and now Zedo? Really? We reviewed the Zedo tracking URL and asked for confirmation about a few details since it did not conform to the ad server's standard. They replied,

For JS pixel to work properly, you need to load is exactly like that ... Will work.

Red flag! The set of tags provided were imitation tags. We ended discussions with the client at this point since things were just not adding up, and launched a detailed investigation to confirm our suspicions.

During our investigation we discovered the phone number provided in the credit application was not a legit phone number for the bank. We also learned that the domains of each of the references provided were registered within two days of each other... and that the registrations took place only days before Bellas Interactive's request for credit was issued - despite the fact that the references "claimed" to be working with Bellas across a 6-24 month spread. And finally, the Bellas Interactive website claimed to be in operation since 1994, despite the fact that the domain was registered in April of this year.

In Summary
Entities like this are cunning and smart. Their scams are well thought through and executed. The best defence against them is rigorous proactive screening. You have to be really, really astute. Question everything. These guys know the industry lingo, procedures and have created a false environment designed specifically to validate their non-existence. Even the most insignificant detail can be a huge clue.

Our Lessons Learned and Advice for Others

  1. Perform independent fact checking.
    Don't take the information provided to you on bank/credit reference applications at face value. Perform a few spot checks to validate the sources. If, when we looked up the bank reference, we had cross referenced the phone number provided by Bellas with the numbers listed on the bank's website, we would have exposed a major crack in their armour upfront, which would have saved us a lot of wasted time and effort.
  2. Research. Then research some more.
    Make it SOP to do research on not only the agency in question, but the credit references provided to you. Search for them online, do a WHOIS lookup on the domains, ask around. Make certain that everything adds up. You can't be too cautious.
  3. When the going gets tough...
    If a client is difficult to work with, there's probably a reason for it. Standards exist for a reason. Any account that is operating outside the norms should register as an immediate red flag to you. Issues surrounding pixels, creative design, obsession over going live too quickly with no sound rational or justification...any of these examples should set alarm bells off in your head!
  4. Be suspicious.
    Perception is selective. It's natural for small details to escape us when we're not on guard or actively looking for something. It's also easy to get overly comfortable with the mechanics of a standard procedure. If you approach every new account with suspicion, you'll be far more aware of any detail that may seem out of place.
  5. Don't assume. Question and verify.
    Certify third party ad servers that you are willing to deliver through, and keep clear lines of communication open with them at all times. Store tag templates and use them in your QA/review process. If a tag deviates from the standard template that you typically see from a third party ad server, escalate to them for an opinion. Never assume that the template has changed, always question it.
  6. Re-examine critical points in your new account process.
    When an account is new, consider minimizing the involvement of your sales staff in the review and verification process. In some cases, a sales person's thirst for new revenue can hamper their nose for suspicious behavior.
3 comments about "Anatomy Of An Attempted Malware Scam".
Check to receive email when comments are posted.
  1. Chris Nielsen from Domain Incubation, August 2, 2010 at 2:49 p.m.

    My company is small, yet we do checks to validte information when new people contact us. All the pink flags, yet look how far you got in the process.

    This is a wonderfully detailed story and thanks so much for sharing it with everyone. The problem certainly is not limited to the marketing and advertising industry, but I was surprised that scammers would do to you directly to spread their infections. I guess they make enough that they can afford to pay for access and not just steal it? Scary thought...

  2. Kristian Wilson from Burstly, August 2, 2010 at 3:37 p.m.

    Thank you for sharing. Very insightful. I've seen a few more out there that fit the mold you described: (not to be confused with and Seller beware!

  3. Summer Koide, August 2, 2010 at 8:42 p.m.

    This is a great article and will be of so much use to smaller and new companies who haven't learned all the tricks of the trade yet. I really appreciate that everyone is banding together to share useful information. Here at ZEDO, we're renewing our relationships with all the major ad networks and ad servers to keep these lines of communication active and open. I've found that everyone's willing to work together on this regardless of whether or not there is a direct competitive relationship.

Next story loading loading..