Forceup.com are distributing malicious advertisements .. again - an examination of the social engineering behind malvertisements
Today we are going to take a look at social engineering and other tactics used by the fraudsters that push malicious banner advertisements. Heaven knows we have talked enough about what the malicious advertisements actually *do*; now it is time to talk about what the *fraudsters* do...
I cannot stress how important it is that we understand the social engineering tactics used by the fraudsters.
Now, the malicious advertisements that we are going to examine today feature FrontGate. I received three different advertisement formats from the one potential victim, being:
The redirect works as follows. We start at the SWF and then move through various URLs:
SOCIAL ENGINEERING AND FALSE INFORMATION
I think that my regular readers now understand what malvertisements are, and what they do - so, let's have a look at some "behind the scenes" activity, in the hope that all of you will learn what to watch out for, and what to check. I will quote the gentleman who sent me the advertisements - he makes some very relevant observations - with only minor editing changes made to fix typographic errors or improve clarity...
"ForceUP found [us] through an 'advertise with us link' on our Company's corporate web site. ... From talking with the sales rep, it sounds like most of the sales process took place over e-mail with someone claiming to be Philip Norton (mailto:firstname.lastname@example.org)
They were pretty smart about this (they even had us throw a frequency cap on the campaign, I am sure to help make it harder to track down the miscreant ad) and they are definitely monitoring the campaigns they place, a couple days after we took down the campaign they were contacting the sales rep asking about the status and why it wasn’t running.
There were pretty clear signs if anyone had been looking for them. Phone numbers mismatches, address mismatches etc."
My correspondent further observes....
"The phone numbers on their credit app don’t come even close to matching with the contact phone number’s on their supposed website.
The numbers from www.forceup.com are:
Phone number: +1(208) 629-3456 (208 is an Idaho area code)
Fax: +1 (443) 498-5395 (443 is a Maryland area code but that doesn’t mean much because this could be a fax service)
The numbers from their credit app are:
Phone: 905-448-4133 (905 is one of the area codes for Toronto, the city they said the company was based in)
A reverse phone number lookup on 905-448-4133 returns the name and address:
533 Normandy St
Oshawa, ON L1H 5X4
On the credit app they listed their bank as Citizens Bank of Canada, which is a real bank. But for the address they put down PO Box 13133, Station Terminal (they didn’t put down the city or province the bank was located in). Now, on Citizen’s website that address happens to actually be the address for the bank’s corporate headquarters in Vancouver, British Columbia address, not the address of a local branch.
The address they listed for their business on the credit app was 366 Ridelle Ave, Suite 866 Toronto, Canada M6B2N3. As near as I can tell from doing a reverse address lookup, 360 Ridelle Ave. and 370 Ridelle Ave. in Toronto are both legitimate addresses but 366 Ridelle is not. The postal code they provided ‘M6B 2N3’ is a valid postal code but is located about 8/10ths of a mile from 360 Ridelle Ave on a completely different street (Fraserwood Ave.)
The ‘forceup.com’ website is hosted in the Netherlands.
A Dunn & Bradstreet check returns no information about forceup."
"It did seem like a very small company with only a small budget for online advertising should have raised a flag when the ads they sent us were from Frontgate, a major company that is unlikely to use a small agency to place a $3,100 advertisement buy. Combine that with the fact that Frontgate is a Cincinatti, Ohio based company and you start to question, why would they have a Canadian ad agency place an ad buy on a US based website? But you only start to question that if you are looking for problematic ads to begin with. Further, Frontgate ... have a reputation of being very high-end and image conscious. Based on that another flag should have been raised by the relative low quality of the advertisements forceup sent to us."
Let's focus on a few important points:
- Why would a major company like FrontGate use a small advertising agency???
- Why would a major company like FrontGate allow "relative low quality" advertisements to be used??
- Why would a major company like FrontGate place a $3,00 advertisement buy??
Yeah, I know, with hindsight the questions are a no-brainer, but reality is the fraudsters are experts at using social engineering. They'll contact victim web sites right when the sales people are under pressure to meet sales targets. They'll want the advertising campaigns to go live as soon as possible... urgent urgent... gotta get it live now... they'll submit credit applications with addresses and phone numbers that don't add up... they'll provide referees whose email addresses use domains that are all associated (as a robtex.com or domaintools.com check will reveal).
Guy and gals... the fraudsters are *LAZY*, and at times we have been able to corral them into using the same service (Securehost) - aka putting all their eggs into the one basket - if you take a little time, dig a little, scratch below the surface, run the advertisements through an www.adopstools.com check, then you will nearly always see something that will give you reason to pause. Maybe their name servers or mail servers are supplied by ESTHOST or SECUREHOST... maybe you can draw a connection between the applicant's domain and the domains used by the so-called referees... maybe you'll sit there and think "why the hell would FrontGate use a two bit Canadian advertising company anyway"....
More to come later....