New Type Of Fraud: Fake Advertisers

[AdamAGB]

The last few months I've seen a disturbing trend that represents a new type of fraud...

I'll get media inquiries from people claiming to be account managers or media directors from obscure advertising agencies (that actually have decently designed websites). They'll say they have a client they're representing and would like to purchase $X,XXX in impressions with very specific requirements (frequency capping, geo-targeting, etc.)

Once you've invoiced them, they pass along their flash banners, which seem completely innocent. However, if you really dive into the banners' code you'll see deeply hidden pure nastiness. Adware/malware/etc.

It took 20 days of member complaints for us to figure out the source of the pop ups. The code in the banners was such that it only randomly triggered and only in certain situations.

For all ad inquiries make sure to consult Google, WHOIS, and don't be afraid to ask for documentation. I have no doubt this type of fraud will continue to grow in the future.

[nixwebo]

Interesting, it was flash code they were passing the malware and such through?

Not good, I will definetly keep my eyes out for this, thanks for the heads up AdamAGB!

[AdamAGB]

I hope it's OK to publish two sample emails, just so people know what they look like and if anyone Googles them results will appear...

------

Greetings,

My name is Frank Collins, my position is Director of Media Purchases. I am writing you on behalf of an Advertising Agency “ReachWe”, with headquaters in Geneve, Switzerland. We are currently in the process of developing an alternative sources of traffic for our clients. Our objective, much like yours, is to help our clients reach their marketing goal and provide them with best media coverage of their products or service available on the Web.

In present we want to utilize target markets of North America, United Kingdom and Australia. In addition to these markets we strongly work with Western Europe and might be interested in Asian Markets. We would like to hear more about your traffic details, available media objects and prices. Given this information we will be able to choose the best client from for possible campaign.

The budgets for our campaigns are usually very flexible. Some of our key partners are names like: FedEx, Expedia, Avon, and Bosch to name a few. You will find my contact information below. Thanks for your time and consideration.

Frank Collins,
Director of Media Purchases
ReachWe LLC.
http://reachwe.com/
Rue Plantamour 25
1201 Geneve, Switzerland

------

Hi Adam,

This is Jan Solli from 4cetera agency. We are looking for running Leaderboard campaign with your site.

728x90, starting ASAP. Please, let me know how we can follow up on this together.

Date range: starting ASAP – ending February, 15th, with a possibility to extend the campaign till March, 31st

Payment terms: Invoice by monthly delivered impressions each first date of a new month (you will bill us for January impressions on February, 1st).

GEOs: USA, Canada, UK, Australia, France, Italy, Japan.

1/24 hrs. freq. capping

Leaderboard 728x90 campaign.

What adserver do you use?

Please, let me know if you have any questions and how we can follow on this.

Thanks,

Jan Solli

Sales Coordinator
logo.gif
Email: solli@4cetera.com

[dognose]

I don't sell ads directly (partially just for this reason).

I just hope the legitimate ad networks that deliver ads for my site don't fall for this.

[Daisy]

I think I'll stay away from directly selling ads as well. I'd like to control what's on my sites.

[Alex|Canep Media]

Frank Collins from ReachWe LLC contacted a member of our advertising sales team earlier last month to place a large order on European banners and popunders. We ended up rejecting the creatives because we found that they where injecting Malware on people's computers on every 3rd load.

4cetera agency has not contacted Canep Media, but I just blacklisted the agency to make sure we do not run into problems with them in the future. Thank you for the report.

[wsz]

I seem to recall reading some time ago about a major CPM ad network getting hit by something like this.

It was a third-party served type of deal, where the creative was to be pulled from the advertiser's server. So, the initial creative offered looked OK, and got approved by the network. Then later, the advertiser suddenly changed the creative to have Active-X nasties or something like that. And they did it over a weekend, when they figured that the network's customer service people weren't in the office.

So there is still a danger, even if you only run established, reputable networks. And the networks have potential risk if they let the advertiser serve the banners.

[Piotr]

Hi everyone,

I work for Yahoo! and Reachwe LLC also approached us recently. We found out that there is something wrong with their ad... they used a domain called unicastads.com for hosting to fake the 3rd party ad vendor Unicast. We contacted Unicast and they told us that it's not their domain. Our feeling was that it's fraud and now we found your thread here. It seems to be really fraud! ... and harmful too if they deliver Malware every 3rd view.

Piotr

[kenmargolis]

We were contacted and this was very helpful info.
Thanks,
Ken

[Kimberly]

Quote:

Originally Posted by Alex|Canep Media

Frank Collins from ReachWe LLC contacted a member of our advertising sales team earlier last month to place a large order on European banners and popunders. We ended up rejecting the creatives because we found that they where injecting Malware on people's computers on every 3rd load.

4cetera agency has not contacted Canep Media, but I just blacklisted the agency to make sure we do not run into problems with them in the future. Thank you for the report.

Hello,

Europe has been hit by several banners in the last weeks. Several people including me are trying to get these banners out of circulation and alert media compagnies of the danger of these advertisments. A search on a partial link brought me to this topic. (ReachWe)

Be very carefull when accepting advertisements from 3rd party, check them out and look up their whois information. Spread the word amoung your collegues please.

May I invite you also to read the following websites to have a general overview of known domains and banners.

Flash Mystery, or how you get infected by *.SWF files
http://www.bluetack.co.uk/forums/ind...pic=18064&st=0

Sandi Hardmeier's blog
http://msmvps.com/blogs/spywaresucks/default.aspx

Thanks.

[bermuda]

Thank you guys for the information provided. It seems that the adware people are all the time thinking about the new ways for their intension.

You know, sending the Flash made banners does seem to be suspicious because the other types of ads might be deleted by the Antivirus programs as soon as they arrive in the email inbox.

[mcain]

**** never heard of this, thanks for the heads up!

[xmsmmgrs]

I also got this kind of e-mails but I just deleted them. A fix could be asking them to give image or text ads instead.

[tallship]

Same **** only saying they represented Rhapsody.com a top 10 sie. AdShaven was dumping malware thru a java script ad. We found it a day after it was up and pulled it. Today 24/7, our ad server, called and said we had a campaign scheduled that had malware. Guess who? I told them that we had pulled Adshaven and obviously would not run it.