(Malvertisements are Flash ads that have been modified to redirect to a malware site. A malware author takes an ad (often a legitimate one) and then embeds malicious URLs into it, and then attempts to place the ad on various sites. The ads will typically redirect to a fake scareware site, which tells the user their machine is “infected”, and attempts to get the user to download a fake security product which then extorts money to “remove” fake threats from a user’s PC. These ads often have methods of IP and time-targeting, so they only go off in certain locations, or at certain times, making them more difficult to detect.)
Here’s an example as to how malware distributors get their malicious ads onto major websites.
First off, just to make sure there’s no confusion, Posner Advertising is a completely legitimate, top New York agency.
Using a spoofed email address, a fellow by the name of “Alvin Ortiz” has been claiming to be from Posner Advertising, attempting to place malvertisements on various sites. According to veteran ad guy Ken Margolis at Premium Network, “…Ortiz had spoofed the agency name with a unique url and email address, but when we pasted them into a web browser, the URL redirected to the legitimate agency’s domain. This made it look more authentic.” (You can see the spoofed sites they created here, including ones for agencies Posner and Quigley Simpson — and why is it that Sandi reported them to Directi, and there’s still no action?)
Ortiz placed a $20k order with Ken’s company, but Ken, who has been around the block, was suspicious: “When we reviewed his credit application, his references and bank did not check out and we learned he was conducting a fraud campaign.” Note that his credit references included reputable companies, such as Quigley Simpson.
However, in a tough economic environment, some ad networks may not be as careful, and just be glad just to see an order, placing the malicious ad in their network of websites. It’s a regular routine at Sandi Hardmeier’s blog, where she writes about malicious ads found on various sites — often, major ones. The FTC also documented this type of activity being done by Innovative Marketing, which was allegedly creating fake agencies just for the purpose of placing malveritsements.
Ad networks need to be especially careful with new clients. Check their credentials and references carefully. Be wary of new clients who, out of the blue, try to place ads at the end of the month (when sales reps are particularly desperate). Look out for new clients who don’t want to pay using normal payment terms (like offering to send a wire transfer in, as opposed to getting credit approval). Check new ads using sites like Adopstools (we also have a service for ad networks with our Sandbox, and other companies like ClickFacts provide services as well).
Alex Eckelberry