Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Forceup.com are distributing malicious advertisements .. again – an examination of the social engineering behind malvertisements

March 27th 2008 in Uncategorized

Today we are going to take a look at social engineering and other tactics used by the fraudsters that push malicious banner advertisements.  Heaven knows we have talked enough about what the malicious advertisements actually *do*; now it is time to talk about what the *fraudsters* do…

I cannot stress how important it is that we understand the social engineering tactics used by the fraudsters.

Now, the malicious advertisements that we are going to examine today feature FrontGate.  I received three different advertisement formats from the one potential victim, being:

image
image image  

The redirect works as follows.  We start at the SWF and then move through various URLs:

stat-diagnostic-imaging.com/crossdomain.xml

stat-diagnostic-imaging.com/c/index.php?id=aFlDm7NkiZXVjTVFQTFlUSmtLQ0FTYnloPTEyMDUyNTA4MDkmcG56Y252dGE9b2JhdnNucHJmYgYNkiDgNmYNkiDgNm

waytotheprofit.com/?cmpid=bonifaceso

prevedmarketing.com/?tmn=mwatmp&aid=bonifaceso&lid=&ax=1&ed=2&mt_info=5746_6350_2358

scanner2.malware-scan.com/18_swp/?tmn=null&aid=bonifaceso_ma18s_mb1t&lid=&affid=&ax=1&ed=2&mt_info=5746_6350_2358:3958_0_15359

waytotheprofit.com/?cmpid=bonifaceso

adnetserver.com/?tmn=mderon&aid=bonifaceso&lid=&3&mt_info=5746_6350_15099

waytotheprofit.com/?cmpid=bonifaceso

prevedmarketing.com/?tmn=mwatmp&aid=bonifaceso&lid=&ax=1&ed=2&mt_info=5746_6350_2358
scanner2.malware-scan.com/19_swp/?tmn=null&aid=bonifaceso_ma19s_mb1t&lid=&affid=&ax=1&ed=2&mt_info=5746_6350_2358:3958_0_15360

 

SOCIAL ENGINEERING AND FALSE INFORMATION

I think that my regular readers now understand what malvertisements are, and what they do – so, let’s have a look at some “behind the scenes” activity, in the hope that all of you will learn what to watch out for, and what to check.  I will quote the gentleman who sent me the advertisements – he makes some very relevant observations – with only minor editing changes made to fix typographic errors or improve clarity…

ForceUP found [us] through an ‘advertise with us link’ on our Company’s corporate web site. … From talking with the sales rep, it sounds like most of the sales process took place over e-mail with someone claiming to be Philip Norton (mailto:philip@forceup.com)

They were pretty smart about this (they even had us throw a frequency cap on the campaign, I am sure to help make it harder to track down the miscreant ad) and they are definitely monitoring the campaigns they place, a couple days after we took down the campaign they were contacting the sales rep asking about the status and why it wasn’t running.

There were pretty clear signs if anyone had been looking for them. Phone numbers mismatches, address mismatches etc.

 

My correspondent further observes….

The phone numbers on their credit app don’t come even close to matching with the contact phone number’s on their supposed website.

The numbers from www.forceup.com are:

Phone number: +1(208) 629-3456 (208 is an Idaho area code)

Fax: +1 (443) 498-5395 (443 is a Maryland area code but that doesn’t mean much because this could be a fax service)

The numbers from their credit app are:

Phone: 905-448-4133 (905 is one of the area codes for Toronto, the city they said the company was based in)
Fax: 866-862-4692

A reverse phone number lookup on 905-448-4133 returns the name and address:

C Swatridge
533 Normandy St
Oshawa, ON L1H 5X4
(905) 448-4133

On the credit app they listed their bank as Citizens Bank of Canada, which is a real bank. But for the address they put down PO Box 13133, Station Terminal (they didn’t put down the city or province the bank was located in). Now, on Citizen’s website that address happens to actually be the address for the bank’s corporate headquarters in Vancouver, British Columbia address, not the address of a local branch.

The address they listed for their business on the credit app was 366 Ridelle Ave, Suite 866 Toronto, Canada M6B2N3. As near as I can tell from doing a reverse address lookup, 360 Ridelle Ave. and 370 Ridelle Ave. in Toronto are both legitimate addresses but 366 Ridelle is not. The postal code they provided ‘M6B 2N3’ is a valid postal code but is located about 8/10ths of a mile from 360 Ridelle Ave on a completely different street (Fraserwood Ave.)

The ‘forceup.com’ website is hosted in the Netherlands.

A Dunn & Bradstreet check returns no information about forceup.

 

Additional observations:

It did seem like a very small company with only a small budget for online advertising should have raised a flag when the ads they sent us were from Frontgate, a major company that is unlikely to use a small agency to place a $3,100 advertisement buy. Combine that with the fact that Frontgate is a Cincinatti, Ohio based company and you start to question, why would they have a Canadian ad agency place an ad buy on a US based website? But you only start to question that if you are looking for problematic ads to begin with.  Further, Frontgate … have a reputation of being very high-end and image conscious. Based on that another flag should have been raised by the relative low quality of the advertisements forceup sent to us.

Let’s focus on a few important points:

  1. Why would a major company like FrontGate use a small advertising agency???
  2. Why would a major company like FrontGate allow “relative low quality” advertisements to be used??
  3. Why would a major company like FrontGate place a $3,00 advertisement buy??

Yeah, I know, with hindsight the questions are a no-brainer, but reality is the fraudsters are experts at using social engineering.  They’ll contact victim web sites right when the sales people are under pressure to meet sales targets.  They’ll want the advertising campaigns to go live as soon as possible… urgent urgent… gotta get it live now…  they’ll submit credit applications with addresses and phone numbers that don’t add up… they’ll provide referees whose email addresses use domains that are all associated (as a robtex.com or domaintools.com check will reveal).

Guy and gals… the fraudsters are *LAZY*, and at times we have been able to corral them into using the same service (Securehost) – aka putting all their eggs into the one basket – if you take a little time, dig a little, scratch below the surface, run the advertisements through an www.adopstools.com check, then you will nearly always see something that will give you reason to pause.  Maybe their name servers or mail servers are supplied by ESTHOST or SECUREHOST… maybe you can draw a connection between the applicant’s domain and the domains used by the so-called referees… maybe you’ll sit there and think “why the hell would FrontGate use a two bit Canadian advertising company anyway”….

More to come later….


One comment to...
“Forceup.com are distributing malicious advertisements .. again – an examination of the social engineering behind malvertisements”

V.J. Willis

I am not very computer savy but, how the hell do I get rid of it? I was doing some research for a paper I was writing for my Masters Degree and all of a sudden this kept popping up. I had to close out of all of my windows and lost most of my research. I wish I had a viris I could infect into thier system to teach them a lesson and shut them down. Boy, that really pisses me off!


You may recall that I theorised that the URLs for the malvertizements that were displayed at classmates.com may indicate that the malvertizements were supplied by Gemini Interactive (cite: http://msmvps.com/blogs/spywaresucks/archive/2008/03/23/1550951.aspx)  You may also recall that all of the malvertizements that I found at classmates.com featured myjewelrybox.com.
I have received, by email, a copy of an advertisement that was […]

Previous Entry

This is an update to my article written on 5 March wherein I warned that Bucksbill.com overcharging for fraudware such as “MalwareAlarm and Registry Defragmentation”.
It is worth pointing out that several readers have commented that they, too, have been overcharged by Bucksbill:
Tonya says “The same thing happened to me with malware. I agreed to the […]

Next Entry

Archives