It was only last month that the New York Times was tricked into featuring on their website a malvertisement that took over the visitors’ browser and tried to make them think that their computer is full of viruses and that they needed to buy antivirus software (fake, of course).
It served as a warning to every ad sales team there is, but apparently sometimes a warning isn’t enough – a good social engineer can make you slip. And that is what happened to Gizmodo’s and Gawker’s teams. They were fooled into running malicious Suzuki ads through which hackers were trying to peddle scareware.
To their credit, both sites have apologized for putting people at risk and have advised them to run legitimate anti-malware software to get rid of the unwanted “visitor”. Gizmodo further apologized it took them long to figure out what was going on – apparently, their staff uses OS X and Linux.
Gawker went one step further. In a praiseworthy bid to warn publishers, they made public their email correspondence with the scammers. The Business Insider published it in its entirety, including the final Gawker’s warning:
- “Someone is approaching publishers as a representative of Spark-SMG on the Suzuki account, even though Suzuki very recently switched agencies
- George Delarosa and his accomplice Douglas Velez claim that there’s a limited amount of money left in the Suzuki account for them to spend, and they need to spend it quickly
- They have intimate knowledge of online ad sales, including terms like eCPM, roadblocking, RON, IAB sizes, lead generation, traffic coordinators, etc
- Email comes from @spark-smg.com instead of @sparksmg.com, though the who-is for their spoof domain is very close to the actual domain (Erin has links in her original email)
- They maintain a Chicago area code (where Spark is based) but claim to be in London, even though they couldn’t give us the actual time in London when asked
- Unlike most spammers, these guys were happy to jump on the phone to get ads back up and running
- Clue that should have tipped us off was that we had to use our IO template…most major agencies like Spark have their own IO template.
But as far as malware distributors go, this guy is easily one of the most convincing I’ve ever seen. I doubt George is his real name, but whoever it is definitely worked in online ad sales at some point.”