Gawker Media tricked into featuring malicious Suzuki ads

Summary:A group of cybercriminals have successfully managed to trick Gawker's ad sales team into featuring malicious ads serving Adobe exploits (CVE-2008-2992; CVE-2009-0927) and scareware, by impersonating a legitimate ad agency inquiring about an upcoming Suzuki ad campaign.According to Gawker Media, the malware distributors were one of the most convincing ones they've seen, with clear experience in ad sales lingo.

A group of cybercriminals have successfully managed to trick Gawker's ad sales team into featuring malicious ads serving Adobe exploits (CVE-2008-2992; CVE-2009-0927) and scareware, by impersonating a legitimate ad agency inquiring about an upcoming Suzuki ad campaign.

According to Gawker Media, the malware distributors were one of the most convincing ones they've seen, with clear experience in ad sales lingo. Here's a brief chronology of the correspondence between Gawker and the scammers, and what could Gawker media have done in order to prevent the malvertising attack:

"- Someone is approaching publishers as a representative of Spark-SMG on the Suzuki account, even though Suzuki very recently switched agencies - George Delarosa and his accomplice Douglas Velez claim that there's a limited amount of money left in the Suzuki account for them to spend, and they need to spend it quickly - They have intimate knowledge of online ad sales, including terms like eCPM, roadblocking, RON, IAB sizes, lead generation, traffic coordinators, etc. - Email comes from @spark-smg.com instead of @sparksmg.com, though the who-is for their spoof domain is very close to the actual domain (Erin has links in her original email) - They maintain a Chicago area code (where Spark is based) but claim to be in London, even though they couldn't give us the actual time in London when asked -  Unlike most spammers, these guys were happy to jump on the phone to get ads back up and running - Clue that should have tipped us off was that we had to use our IO template...most major agencies like Spark have their own IO template"

A simple Google search for Spark Communications, followed by click on the "I'm feeling lucky" button would have revealed the true nature of typo-squatted and registered on the 4th of September, 2009, spark-smg.com domain that the cybercriminals used.

A similar social engineering attack took place last month, this time featuring a scareware-serving malicious ad at the New York Times web site through a bogus Vonage ad. Clearly, suspicion, and due diligence on prospective advertisers can make an impact unless of course efficiency in the ad sales process gets higher priority than the safety of the site's users.

Despite that the participating malware sites in the Gawker campaign (wbavv .com, criofree .com, bestavv .com, avcvv .com, avpgo .com and floweragents .com, all parked at Latvian-based Telos Solutions LTD - 91.212.127.225) are currently down, the malvertising concept remains in the arsenal of cybercriminals to take advantage of in the long term.

Topics: Security

About

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.