Advice for publishers and ad networks about how to avoid malvertizing
Right Media has published a blog entry giving their advice on how to avoid malvertizers – you can see the blog post here:
Their advice is very similar to that which has been available at www.anti-malvertising.com for quite a while now – good on Right Media for making sure their clients are made aware of the “tricks of the trade”.
I would expand on the advice given – it is VERY important to also take a close look at any credit or other references supplied. I have seen cases where a newer advertising agency has put forward as a referee a supposed contact at a long established agency, hoping to fool victims into thinking that they’re new guys with the support of others the industry who deserve a fair go. But, if you look at the contact details for the supposed contact at the long established agency, the phone number given does not match the agency in question, and if you phone the long established agency’s main switchboard you discover that nobody has heard of the person.
Or you may discover that the referee’s domains are all in the same IP range.
You also need to watch out for “sleeper” agencies – the bad guys may register a domain name but not actually use it for a year or so – that trick, in combination with fake referees can be very effective. Or they may devote time to building a trust relationship with you, causing you no trouble at all until after several campaigns have been and gone. You let your guard down and suddenly malvertizing rears its ugly head.
Or they may use misleading domains – for example there was the incident not long ago involving adshufffle.com (how many of you noticed the extra F in that domain name the first time you saw it)? You may have an established relationship with a reputable agency and then one day receive an email from a “new” employee at that agency, from an email address ending in .NET instead of .COM.
Does a previously unknown agency claim to be acting on behalf of a well known company? Contact that company and make sure that the claim of authorized representation is true. Seriously, if you are approached by somebody you have never heard of before, and they claim to be acting on behalf of Nike, or Coca Cola, you have to ask yourself how likely that is.
In short, never let down your guard. And even if a domain has been around for a year or so, still be on your guard.