Ponderings about the incident that hit Gizmodo (courtesy of Gawker)
While I was on holidays, a malvertizing incident hit Gizmodo (via advertising sold to Gawker). The miscreants impersonated the legitimate advertising agency Spark Communications, registering the domain spark-smg.com (the real domain is sparksmg.com) to assist in the impersonation.
Publicis have since taken over the fraudulent domain spark-smg.com but we still have access to historical information about the domain which is interesting.
Before we get into the nitty gritty of the domain itself, I have a few observations to make. In short, the tricks used were not new.
"Gawker Sales Guy" says on the businessinsider.com web site that"
"The reason this is news (and the reason we sent it here in the first place) is because these guys were so thorough they managed to fool multiple levels of safeguards we have in place to keep this thing from happening. There was literally NO way for us to know, short of calling the agency and doing background checks on everyone we work with."
Why did nobody notice that the domain spark-smg.com being was used, instead of sparksmg.com. I concede that the difference between the domains is subtle, but even if the "Gawker Sales Guy" who was corresponding with the miscreants did not notice the subtle difference in domains at first, I would have expected him to take a closer look when one of his emails bounced on Saturday 28 September.
The realities of malvertizing *are* well known in the industry nowadays, thanks to all of the publicity that it has received over the past year or so. Many warnings have been sent out by various parties and there have been many high profile incidents. The new person approaching Gawker, the bounced email, and the wide variation in time of day when emails were received should have all given the Gawker Sales Guy reason to pause and take a closer look (despite the fraudster claiming, in one email, to be in London). "Background checks" should be standard operating procedure, and "calling the agency" using their main telephone number (not a direct line) should also be standard operating procedure, even after background checks have been completed, whenever a new name appears.
Gawker Sales Guy (http://www.businessinsider.com/henry-blodget-gawker-scammed-by-malware-pretending-to-be-suzuki-2009-10#comment-4ae6561900000000008b1b70) then goes on to say:
"This was truly damn near impossible to spot as a fake."
This claim is impossible to judge without specific technical information. That being said, the ads have to touch something bad as part of the malvertizement process, even if the malicious behaviour itself does not trigger.
On the BBC web site (http://news.bbc.co.uk/2/hi/technology/8328399.stm) it states:
"Blaming the fact that staff used Linux operating systems on their production machines for "not noticing sooner", it advised concerned users to load some up-to-date antivirus software and "make sure your system is clean"."
The fact that staff use Linux on their production machines is not why the staff did not see the malvertizements. As regular readers of this blog know, the miscreants behind malvertizing actively manage their campaigns, deliberately doing all they can to avoid detection by victim web sites via geo-targeting, IP exclusions and whatnot. I would be *extremely* surprised if the malicious behaviour would have been triggered if the malvertizement was displayed on a computer within an IP range associated with the victim web site, or the infrastructure used to serve the advertisement, even if it were running an old, vulnerable, version of Windows. The bad guys are not fools – they are not going to allow malicious behaviour to trigger on a computer known to be owned by the very people they are trying to fool and defraud.
Online Media Daily (http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=116269) states that it "is believed to be the first to successfully mimic the identity of a major advertising agency".
Ok, I suppose we can argue about what a "major" advertising agency is, but it certainly is not the first time an advertising agency has been spoofed (or the first time that the bad guys have made preparations to do just that). Some malicious domains that I have seen, and reported on in the past, that could be used to spoof legitimate ad networks include:
byronadvertising.eu (used to impersonate the legitimate byronadvertising.com and byronadvertising.co.uk)
koeppelinteractive.co.uk (impersonating koeppelinteractive.com, redirecting visitors to that domain)
quigley-simpson.net (impersonating quigleysimpson.com, redirecting visitors to that domain)
mediavest-corp.com (WHOIS referred to firstname.lastname@example.org, an email address also used with the legitimate mediavest.net)
posnerpromotion.com (impersonating posneradv.com, redirecting visitors to that domain)
adconion-inc.com (impersonating adconion.com, redirecting visitors to that domain)
carat-inc.com (impersonating carat.com, redirecting visitors to that domain)
pubmatic-inc.com (impersonating pubmatic.com, redirecting visitors to that domain)
doubleclick-ssl.com (impersonating Doubleclick)
Then there are the fake sites pretending to sell advertising directly on behalf of large corporations:
nokia-corp.com (shared IP with lacoste-ads for a while - can be assumed to impersonate Nokia)
foxinteractivemedia-inc.com (impersonating fox.com, redirecting visitors to that domain)
lacoste-ads.com (impersonating lacoste.com, redirecting visitors to that domain)
orangeadvertising-inc.com (impersonating orange.com, redirecting visitors to that domain)
hyundai-inc.com (impersonating hyundai-motor.com, redirecting visitors to that domain)
singlesnet-inc.com (impersonating singlesnet.com, redirecting visitors to that domain)
vonage-inc.com (used to impersonate the real Vonage)
Tribalfusion has even been impersonated in a credit reference.
Anyway, let's take a look at spark-smg.com and see what danger signs we can find by examining historical data (taken from before Publicis Groupe S.A. took over the domain).
ICANN Registrar: BIZCN.COM (a known problem Registrar)
Created 4 September 2009 (a very new domain, another bad sign)
IP address (up until on or about 3 October 2009): 126.96.36.199
188.8.131.52 = Luxembourg Root Esolutions (another problematic host, too often seen in association with malvertizing).
Note: A check of the IP range 212.117.175.% reveals a few domains associated with advertising that should be treated with caution:
RevolteChMedia.com (claims to have been around since 2004, but the domain was only registered on 13 October 2009 - ICANN Registrar BIZCN.COM, INC))
BellWayInteractive.com (registered on 14 September 2009 - ICANN Registrar BIZCN.COM, INC)
SmartMediaWay.com (registered 14 September 2009 - ICANN Registrar BIZCN.COM, INC)
GoldBayMedia.com (registered 14 September 2009 - ICANN Registrar BIZCN.COM, INC)