Beware of advertising scams in the age of Java vulnerabilities

I run a decently popular website and frequently receive advertising inquiries. I spend money every month to keep the site running and advertising is how I keep it afloat. If it were only that that easy–if you’re not careful it is possible to find yourself swindled by criminals looking to pump malware out to your site’s visitors under the guise of purchasing advertising. And by “purchase” I really mean “agree to purchase”, it’s almost certain that they won’t end up paying you (and there may be fun legal implications if you accept money from people spreading malware on your site).

The recent spat of Java vulnerabilities has shown that all it takes is a piece of Javascript code to completely own someone’s computer (the JS injects a Java applet and the Java vulnerabilities make quick work of even a 100% current patched computer). Besides your visitors having their computers hacked, it won’t take long for browser vendors to find the malware and display a warning to anyone visiting your site. This has the chilling effect of pretty much dropping your traffic to 0 over night (and by this time the scammers are long gone, leaving you to pick up the pieces).

Major sites have been hacked for this to happen, but it’s easier to just buy some advertising and immediately have your exploit delivered to millions of unsuspecting users. Sometimes it happens to advertising networks which is more frustrating because you don’t have direct control over which ads are displayed or the ability to audit code beforehand. About the only thing you can do is to pick ad networks carefully and keep close tabs on the creative they are delivering. This exact issue has caught some big name sites like Tech Crunch and Cult of Mac recently so don’t think it can’t happen to you.

Here’s what the scam looks like from a publisher’s point of view

I recently received a suspicious advertising inquiry and spent some time researching it. As you can see, if you are not careful it can be quite easy to take someone’s offer without knowing you are putting your site’s visitors at risk. Additionally, if the advertising on your site isn’t handled by a technical person you should be extra wary of new advertisers. I have removed a few bits of identifying information, but otherwise the emails are as I received them.

From: Nathalie Howard
To: Crossword Tracker Advertising
Subject: Display Advertising

Hello,

I represent advertising department of Clepter online store and I am writing to you concerning possible cooperation in online advertising. Our website is running a display campaign in US and in some EU countries. We are using standard IAB units and are working on CPM model only. Please let me know if you can offer us any inventory. We will consider any your proposals or offers. Look forward to hearing back from you soon!

Thanks,

Nathalie Howard
Marketing Director
_____________________
Clepter.com Street
Email: REDACTED
Ph: 443.687.XXXX
Address: 300 East Lombard
Baltimore, MD 21202

That sounds great, but nothing checked out

The first thing I did after receiving the email is check out their site (not linked since I don’t want to reward scammers). It is a fairly anonymous looking online shoe store. Some nice photos, but it looks like a template and nothing was rated or reviewed. The problems didn’t end there though:

• I searched their address and it’s a mail drop in Baltimore, making me know that something is definitely not right.
• The phone number appears to be a Verizon cell phone.
• No details about a physical presence or who is behind the company.
• The footer contained copyright 2010, three years out of date and since the domain was registered in December 2011 it was out of date on day 1.
• The WHOIS information is private
• The site’s IP address hosted other domains (not typical if this was a real ecommerce outfit) and to my surprise they all were exact copies of the Clepter site just with different and odd domains (including a .cn domain). These domains had WHOIS info and they all went back to China.
• None of the sites have a valid SSL certificate and are using unsigned root certificates

In short we have a sketchy online store that lacks a physical presence, can’t securely sell anything and has copies of itself on strange Chinese domains. Suspicions confirmed and the Chinese angle was especially interesting since China has been implicated in tons of hacking cases lately, including ones taking advantage of the new Java exploits.

My site’s audience is especially vulnerable

Some background, my site is focused on crossword puzzles and there are still many online crossword puzzles that are delivered using a Java applet. A lot of otherwise smart tech people hear about a new Java applet vulnerability and roll their eyes because, “No one uses applets”. If that were only the case, a staggering number of people have Java applets enabled (crosswords, VPN, online banking, there are tons of uses that aren’t going away overnight). I realized that my audience is quite likely to hava Java enabled, even after all the security problems. Some vendors went ahead and disabled Java, but if you have been doing crossword puzzles for years it’s not unlikely that you would re-enable Java so you can continue with your routine. It’s just a hunch, but I think that may be why they targeted me for this faux advertising purchase.

Advertising savvy, but no doubt it’s a fake store

At this point I wanted to play along, mostly to confirm my suspicions but also to see if I could dig up enough to at least shut this scam down so that others won’t fall victim. I asked for more information about her company and received a reply the next morning.

Hi Jon,

Thanks for getting back to us and I hope you’re doing great. Hopefully we’ll be able to get a campaign live in the coming days. Our campaign goal is to increase traffic (CTR 0.08% +/-) and brand awareness.

To make things easier and hasten the process I have detailed our preferred campaign specs below.

. Landing Page: www.clepter.com (or similar)
. Ad size: 728×90
. Geo-targeting: USA
. Budget: $14K per month
. Campaign Life: 2-4 months

Apart from the above, we would also like a frequency cap of 1/24. We find that our campaigns tend to perform much better with this.

Please do let me know what CPM rate that you can offer for this campaign. Preferably, we would like to keep this as low as possible without sacrificing too much on quality.

Best Wishes,
Nathalie

—–Original Message—–
From: Jon Gales
Sent: Wednesday, February 20, 2013 8:52 AM
To: Nathalie Howard
Subject: Re: Display Advertising

Can you tell me more about your company?

-Jon

Digging into the full headers of the email I found out that Natalie is probably named Natalia (her desktop’s hostname was NataliaPC) and is not located in Baltimore, but in the Netherlands. Or at least the email was sent from a computer based in the Netherlands, if it’s a hacking group there’s no reason to believe they would be using their own machines (or names, Natalia could just be an unsuspecting user who got compromised).

She did use the correct verbiage for online advertising though, frequency caps aren’t usually something people outside of the industry know about (1/24 means that a visitor only sees the ad once per 24 hours). This is enough to convince me that it’s not the first time they did this and that they have a level of sophistication.

I registered for the store using a Mailinator address and saw that the confirmation email subject was “Account Details for Joe at Shop” which means they never customized their store’s name (“Shop” instead of “Clepter”). Even better is the choice of payment methods:

Thankfully the payment method is as far as you can go, the rest of the form does not work. So there we have it, someone trying to advertise a fake web store. I sent one more email to Nathalie asking if I could host the creative (thereby making it harder to switch it out for malware) and not surprisingly that was a non-starter. I cannot 100% confirm that they were planning on spreading malware, but fake businesses don’t need real advertising and the coincidence of going after an audience very likely to have Java enabled makes me believe that the plan was to use one of the new Java exploits.

Going farther is difficult because I’m not going to sign an insertion order for a campaign I don’t intend to run and the embed code I get will probably not have any malware attached (but they can change the target later on to attack my audience).

I was clever enough to see through the offer and not accept it, but all it takes is for someone else to just see dollar signs and sign up. It’s a scary proposition.

If you’re reading this, disable your Java plug-in

I use Chrome and use its “click to play” setting for plug-ins and in addition have the Java plug-in completely disabled. If you can see a Java applet by default your computer is a sitting duck. If you need applets for a specific reason I suggest using a separate browser exclusively for that reason or even better a virtual machine.

Update 04/09/2013: The plot gets more entertaining, “Nathalie” got back to me with a threat of legal action. Not a denial of claims (other than that wasn’t the real site…), just that our correspondence was confidential. Guess what, it’s not. Here’s the latest email in full:

Hi Jon,

We know that you are distributing certain information about our company. We should say that we planned to use another our site as a LP for the campaign. As to the clepter, it is being designed. The information you’ve posted is breach of correspondence confidence. Our legal team is currently considering the matter to take legal actions against this violation.

Regards,
Nathalie