October 27th, 2009

Gawker Media tricked into featuring malicious Suzuki ads

Posted by Dancho Danchev @ 10:17 am

Categories: Adobe, Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Complex Attacks, Flash, Hackers, Malware

Tags: Advertisement, Gawker Media, Suzuki, Dancho Danchev

A group of cybercriminals have successfully managed to trick Gawker’s ad sales team into featuring malicious ads serving Adobe exploits (CVE-2008-2992; CVE-2009-0927) and scareware, by impersonating a legitimate ad agency inquiring about an upcoming Suzuki ad campaign.

According to Gawker Media, the malware distributors were one of the most convincing ones they’ve seen, with clear experience in ad sales lingo. Here’s a brief chronology of the correspondence between Gawker and the scammers, and what could Gawker media have done in order to prevent the malvertising attack:

“- Someone is approaching publishers as a representative of Spark-SMG on the Suzuki account, even though Suzuki very recently switched agencies
- George Delarosa and his accomplice Douglas Velez claim that there’s a limited amount of money left in the Suzuki account for them to spend, and they need to spend it quickly
- They have intimate knowledge of online ad sales, including terms like eCPM, roadblocking, RON, IAB sizes, lead generation, traffic coordinators, etc.
- Email comes from @spark-smg.com instead of @sparksmg.com, though the who-is for their spoof domain is very close to the actual domain (Erin has links in her original email)
- They maintain a Chicago area code (where Spark is based) but claim to be in London, even though they couldn’t give us the actual time in London when asked
-  Unlike most spammers, these guys were happy to jump on the phone to get ads back up and running
- Clue that should have tipped us off was that we had to use our IO template…most major agencies like Spark have their own IO template”

A simple Google search for Spark Communications, followed by click on the “I’m feeling lucky” button would have revealed the true nature of typo-squatted and registered on the 4th of September, 2009, spark-smg.com domain that the cybercriminals used.

• Go through related posts: The ultimate guide to scareware protection; MSN Norway serving Flash exploits through malvertising; Fake Antivirus XP pops-up at Cleveland.com; Scareware pops-up at FoxNews; Ukrainian “Fan Club” Features Malvertisement at NYTimes.com

A similar social engineering attack took place last month, this time featuring a scareware-serving malicious ad at the New York Times web site through a bogus Vonage ad. Clearly, suspicion, and due diligence on prospective advertisers can make an impact unless of course efficiency in the ad sales process gets higher priority than the safety of the site’s users.

Despite that the participating malware sites in the Gawker campaign (wbavv .com, criofree .com, bestavv .com, avcvv .com, avpgo .com and floweragents .com, all parked at Latvian-based Telos Solutions LTD - 91.212.127.225) are currently down, the malvertising concept remains in the arsenal of cybercriminals to take advantage of in the long term.