Monday, November 15, 2010

Anatomy Of An Attempted Malware Scam

I stumbled across this fascinating inside account of how cyber criminals infiltrate online advertising by Julia Casale-Amorim of Castle Media. Try not to get lost in the technical jargon of the advertising world and instead focus on the criminal's cleverness and level of effort.

The display media segment is the newest target of malvertising, the latest trend in online criminal methodology. The problem has escalated in recent months and despite many suppliers' best efforts, it continues to grow. The culprits behind many of these attacks are based in foreign states leaving little course to take action. While the best defense against malvertising is to prevent it from happening in the first place, this has proven to be a challenge for even the most astute publishers, networks and the like.

We were recently the targets of one such attempt, and while it certainly wasn't the first "fake agency" we've been besieged by (and that we've successfully stopped), it is one of the most organized efforts we've encountered so far. Below we've outlined the approach that was used and the findings of our investigation as an FYI to others who may be on the target list.

If there's anything we've learned since the practice of malvertising has surfaced (and has since proliferated), it's that you can't be too detailed with your client background checks and creative reviews. We've always been big on our screening procedures, and these days it's proving to be an increasingly valuable practice. Malvertising reflects negatively on the entire online media industry and the onus has to fall on us (suppliers) to put a stop to it. So, we want to share our learnings here for the greater community to hopefully benefit from.

Here is a breakdown of the approach used by the individuals behind our most recent malware experience, how we caught them, and the findings of our subsequent investigation. We've also highlighted some pink flags (and the ultimate red flag) that came up along the way, as well as our key takeaways from the experience including some of the steps we now have in place (and which you may want to consider implementing) to help us identify similar perpetrators sooner than later.

Initial contact, proposal and campaign review

The culprits approached us in early July representing themselves as an agency looking to place a campaign for both a big name charity and a travel client (we are omitting names to protect their brands from being associated with this scam. We have no reason to believe they were involved). Following our proposal phase, "Bellas," informed us that the big name charity was still "undergoing approval phase", but that their travel client had approved a test on our network and wanted to proceed.

(Pink flag: while not completely implausible, it is rare for an unknown agency to bring one or more large brands to the table, let alone doing so without first undergoing a formal RFI/RFP process.)

Despite the pink flag, we proceeded, and because we had never worked with this agency before, we began by processing their request for credit. Each of the references provided had professionally produced websites and unique phone numbers -- nothing at the surface level that would raise any suspicion. The bank reference was real (a real bank, that is) and the phone number provided worked. The information we requested was supplied to us in an official, expected manner. Nothing out of the ordinary here.

All three references we contacted provided prompt and friendly responses and each reported that they had been doing business with Bellas for anywhere between two years and six months at fairly respectable sums.

For added assurance, the "fake agency" supplied us with a PDF which was represented as an official document of incorporation.

With no glaring reason to deny, we approved their application for limited starter credit and proceeded to the next step, campaign setup.

Campaign Setup and QA

The campaign's goals were a little unusual for what we would typically consider to be a direct response advertiser:

We are really focused on reach and unique viewers optimizations. Thus tight frequency cap like 1/24 or 1/48 can work. CTR is secondary goal at this point. A lot of people don't know much about client services and we want to cover every single possible customer.

We logged their goals and rationale. We also noted them as a pink flag. The proprietors of these scams typically focus more on unique reach and frequency than on targeting, audience or optimization - a focus that, in general terms, is most unusual for the average online advertiser. Of course, in hindsight, their interest in unique reach stemmed from their desire to infect across the widest possible net.

On our initial request for creative, "Bellas" provided us with a set of third-party tags, which were rejected because they were not from one of our certified ad serving vendors.

We were then provided with raw creative files. While the creative were clean (i.e. no malicious code), there were some minor design flaws including missing borders and file sizes that exceed our standard maximums. We informed them of these issues and they responded:

We are currently run[ning] with AOL and Yahoo (including comscore 1-150 pubs) and they are cool.

Hum, really? AOL and Yahoo have some of the strictest ad specs around...(pink flag).

After some lengthy back and forth about the creative revisions...

We are not able to reduce creative size without sacrificing quality. If you cannot run creative size more than 20kb -- we can host. If not -- we wont be able to proceed with campaign.

"Bellas," at that point, requested that we run an impression tracking URL. The "OpenX" URL provided to us was flagged during our QA review, another pink flag; the formatting and characters were not consistent with the standard employed by OpenX. We informed Bellas that to use the URL we would need to perform a few modifications to make it consistent with the standard. We provided an example of the modified URL and then received the following responses:

I have contacted OpenX support to find out. Meanwhile I got another pixel for you. We have used it with our hosted campaigns and it worked wonders.

Client prefers Eyeblaster tracking URL (their ad server). Would be cool if you can implement. If not -- OpenX is perfectly fine.

Next, Bellas, informed us of the "response" they received from "OpenX support" and then supplied us with a new pixel to use.

"Hi Henry. Looks like Casale runs , which is NOSCRIPT part of the code, instead of JS pixel (script part), that affects reporting a bit and you cannot add any additional tracking code." Are you able to implement JS OpenX pixel or Eyeblaster pixel directly? Alternatively, we can provide tags.

After informing "Bellas" that we would forward the new pixel to our traffic team for evaluation, we received the following response...

Client have sent another pixel, from zedo.

Pink flag. So now we have a client who wanted to serve through OpenX, then Eyeblaster, and now Zedo? Really? We reviewed the Zedo tracking URL and asked for confirmation about a few details since it did not conform to the ad server's standard. They replied,

For JS pixel to work properly, you need to load is exactly like that ... Will work.

Red flag! The set of tags provided were imitation tags. We ended discussions with the client at this point since things were just not adding up, and launched a detailed investigation to confirm our suspicions.

During our investigation we discovered the phone number provided in the credit application was not a legit phone number for the bank. We also learned that the domains of each of the references provided were registered within two days of each other... and that the registrations took place only days before Bellas Interactive's request for credit was issued - despite the fact that the references "claimed" to be working with Bellas across a 6-24 month spread. And finally, the Bellas Interactive website claimed to be in operation since 1994, despite the fact that the domain was registered in April of this year.

In Summary

Entities like this are cunning and smart. Their scams are well thought through and executed. The best defence against them is rigorous proactive screening. You have to be really, really astute. Question everything. These guys know the industry lingo, procedures and have created a false environment designed specifically to validate their non-existence. Even the most insignificant detail can be a huge clue.

Our Lessons Learned and Advice for Others

Perform independent fact checking.
Don't take the information provided to you on bank/credit reference applications at face value. Perform a few spot checks to validate the sources. If, when we looked up the bank reference, we had cross referenced the phone number provided by Bellas with the numbers listed on the bank's website, we would have exposed a major crack in their armour upfront, which would have saved us a lot of wasted time and effort.

Research. Then research some more.
Make it SOP to do research on not only the agency in question, but the credit references provided to you. Search for them online, do a WHOIS lookup on the domains, ask around. Make certain that everything adds up. You can't be too cautious.

When the going gets tough...
If a client is difficult to work with, there's probably a reason for it. Standards exist for a reason. Any account that is operating outside the norms should register as an immediate red flag to you. Issues surrounding pixels, creative design, obsession over going live too quickly with no sound rational or justification...any of these examples should set alarm bells off in your head!
Be suspicious.

Perception is selective. It's natural for small details to escape us when we're not on guard or actively looking for something. It's also easy to get overly comfortable with the mechanics of a standard procedure. If you approach every new account with suspicion, you'll be far more aware of any detail that may seem out of place.

Don't assume. Question and verify.
Certify third party ad servers that you are willing to deliver through, and keep clear lines of communication open with them at all times. Store tag templates and use them in your QA/review process. If a tag deviates from the standard template that you typically see from a third party ad server, escalate to them for an opinion. Never assume that the template has changed, always question it.

Re-examine critical points in your new account process.
When an account is new, consider minimizing the involvement of your sales staff in the review and verification process. In some cases, a sales person's thirst for new revenue can hamper their nose for suspicious behavior.


Adam Fine said...

It is surprising that this company did not thoroughly check the client agency they were working with. It seems to me like this should be SOP for all companies working online; the cost of spending extra time fact-checking a potential client must be less than the potential effects of whatever the criminal seeks to do. This article is a perfect example of the sales-driven world we live in, and is generalizable to explaining why so many software companies produce products with so many vulnerabilities.

Reilly said...

It's interesting to me how smart the hackers are getting. They spend a lot of time making sure that everything looks right on the surface. However, at the same time, they do some really stupid things to give themselves away. For example, just saying "We are currently running with AOL and Yahoo and they are cool" isn't a very good answer to a legitimate question. They definitely could have done a better job closing. However, they're are definitely agencies that would have fallen for this. The point at the end is very good - a good way to help the problem is to not have salespeople involved in the application review process since they're too focused on getting new revenue. The key for ad networks is definitely to make sure that they have a thorough review process for new accounts, and for every creative they get.

Erin Booth said...

Wow. Maybe it’s just because I just don’t completely understand all of the technical jargon, but I really was not tipped off at any point by the various ‘pink flags.’ At the end, when she identified the ‘red flag’ I still did not really comprehend what gave him away. However, during the investigation she discovered that the bank phone number was not legitimate and the other suspicious facts regarding how recently the domains of each of his sites were created, which seemed to be much more obvious clues. It surprised me how easily the criminal was able to fool the advertising agency just by using fake websites and references, and being able to communicate with the right ‘industry lingo’. I would have thought that the first thing the targeted agency would have done was checked the registration dates of the domains he sent them. I think that doing that would have immediately exposed him, and is a lot easier and quicker than waiting for things to play out. Furthermore, maybe I’m wrong on this, but it seems that cyber criminals would have a pretty hard time faking a domain registration date, if that is possible at all, so maybe that should be step one. Nevertheless, the message of this article is clear: you can’t be too careful. Cyber criminals are extremely clever and develop well thought out plans, and so in order to detect them, you have to be even more shrewd then they are.

Christina O'Tousa said...

Many Malware scams are hard to regulate because they stem from outside of the country. If the United States passed more complex laws against Malware activity, we still can’t punish individuals from other countries for laws that their countries don’t have. In order to be develop more defensive techniques against malvertising, there needs to be national technological and manpower capabilities through enacting new laws. Promoting a higher level of industry-government cooperation and pushing for coordination within the international community is essential.
A different idea of self-regulation by markets has been introduced because of the complex nature of transnational law regulation. It would be the job of companies like Castle Media to identify Malware perpetrators and prevent them from malvertising. The ways to prevent fake companies to take advantage of your advertising firm is to cross-check the facts, be suspicious of anything out of the ordinary because standards exist for a reason, and don’t get overly comfortable- always be a bit suspicious.
This study confirms that how everybody can fall for a scam if under the right circumstances. This company was used to encountering “fake agencies”, yet because of this scam company’s knowledge of industry lingo, it took them a while to finally see the red flags. Malvertising companies are becoming bolder and bolder in trying to dupe other companies instead of just naive computer users. This study really opened my eyes up to how far these scammers will go to scam the largest and more diverse audience possible.

Patricia Kehoe said...

I agree with both of my classmates on this one. It is hard to believe that so many "pink flags" do not add up to a red flag without the process getting so far along! I wonder what kind of legal ramifications could have arisen for the company that was vetting the fake agency in the event that the "big name charity and travel client" was actually implicated in a successful ad-fraud campaign. Regardless of what today's norms are, there should be a step in this process where the "big name" corporation is contacted independently to verify complicity with the ad agency. I'm sure there is someone on a person like Oprah's staff who's job entails organizing the various marketing campaigns which use Oprah's name. They would know every agency they are using and all it takes is an email to confirm or deny any association with a company.
I think that the growing market for online transactions and less of an emphasis on interpersonal connections in big corporations has left people behind the curve in terms of how to protect themselves and look out for "red flags" in online correspondence. Hopefully, they are taking notes on articles like these!