Another known site has fallen prey to criminals pitching malicious advertisements. Arguably, with over 3 million page views daily, Gizmodo is one of the most popular destinations online. Seeking to take advantage of their readership, and the value of their name, criminals were able to purchase seemingly legitimate ad placements and switch them with Rogue anti-Virus installations.
The Tech Herald spoke with Brian Lam, Gizmodo’s Editorial Director, who told us he felt “pretty annoyed and embarrassed” after discovering the scam. He sent us comments from the Gawker (parent to Gizmodo) advertising team. Based on these comments, the criminals responsible for the malicious advertisements put in a good deal of effort to pull the con off.
The problems started on September 23, when George Delarosa and Douglas Velez posed as representatives of Spark Communications (sparksmg.com). In the past Gawker has done business with them, so when the return emails used spark-smg.com as the domain, no one thought twice. In addition, Delarosa, who did most of the talking during the email correspondence with Gawker, knew all the right things to say.
Delarosa knew industry terms, and even talked like an insider. He knew what to ask for and started his request to place Suzuki ads like any other advertising person. He haggled over price, and requested certain concessions and formatting for the placements, like any other buyer. He even went to go so far as to ensure that the domain WHOIS records were spoofed, as well as used a legitimate Chicago area code. The only odd thing was that he claimed to be in London. (Spark Communications is based in Chicago.)
“But as far as Malware distributors go, this guy is easily one of the most convincing I've ever seen. I doubt George is his real name, but whoever it is definitely worked in online ad sales at some point,” wrote an unnamed sales representative for Gawker in emails published by Silicon Alley Insider.
The Suzuki ads were selective, serving the Rogue anti-Virus to only 1 out of 20 advertisement viewers. Once the Rogue anti-Virus was served, there were no download prompts, the Malware used an Adobe flaw to install itself on the victim’s computer.
“This was a very malicious piece of code that seemingly took advantage of unpatched Adobe software, though we don't have details on how exactly that worked. It was not a "trick" ad, wherein users were prompted to install something they needed. It simply strong armed its way through [using the vulnerability] and infected the computer,” reads the information sent to The Tech Herald by Lam.
“If a user was infected, they'd absolutely know about it. This isn't a worm that goes unnoticed, it would have crippled the user’s computer in a few moments, based on the reports we received. There would have been pop ups, freezing, and multiple file downloads taking place. The offending Trojan operates under qegasysguard.exe, which I assume is a randomized variant of sysguard.”
Once the malicious Suzuki campaign was discovered, the ads were removed. “Guys, I'm really sorry but we had some malware running on our site in ad boxes for a little while last week on Suzuki ads. They somehow fooled our ad sales team through an elaborate scam. It's taken care of now, and only a few people should have been affected, but this isn't something we take lightly as writers, editors and tech geeks,” Lam said in his posted apology.
Criminals know that trust is everything, so hijacking the advertisements on a legit site is a great way to exploit this trust and infect users. When the site is high profile, such as Gizmodo, then the reward is even larger. The criminals who service the Rogue anti-Virus are paid per installation, so if just one percent of the 3 million daily readers were infected, then that would equate to a nice payday for the crooks.
"By hitting one of the biggest blogs in the world, these hackers are aiming high. Their plan was to infect as many computer users as possible with their malicious adverts. They know Gizmodo gets a huge amount of traffic - once they infected the site through their adverts they could just lie in wait for their victims to visit," said Graham Cluley, senior technology consultant for Sophos.
It is unknown how many of Gizmodo’s users were infected by the Malware. However, it is important to note that Gawker and Gizmodo are not at fault. The criminals knew their victim well, and that is exactly what you can call Gizmodo, a victim. By posing as an agent from a known and trusted advertising firm, they exploited the Gawker sales team’s trust. Once the malicious ads went live, they exploited the trust given to Gizmodo by its users.
The same thing happened to the New York Times in September. At the time, the criminals bought ads pretending to represent Vonage from the Times’ advertising department. After a few legit placements, the ads switched to serving malicious content to Times readers.
When looking at this recent attack, it is worth noting that Gawker acted swiftly, and wasted no time removing the offending ads. Their quick reaction prevented scores of other visitors from becoming infected by the Rogue anti-Virus. However, their mission now is two fold, prevent this from happening again, and despite being victims themselves, they are apologizing to their readers, something that is commendable considering all that happened.
“Gizmodo readers should rest assured that this is not something they need to worry about moving forward. We only work with reputable companies and agencies, and we'll certainly be much more cautious of people posing as these companies in the future,” the note from Lam concluded.
“We're frankly somewhat flattered that we've been targeted by malware distributors, putting us with the likes of the New York Times, Huffington Post, and Drudge Report, all of whom have been victim to similar attacks quite recently."