Beware of advertising scams in the age of Java vulnerabilities

Filed under: Web/Tech | 4 Comments

I run a decently popular website and frequently receive advertising inquiries. I spend money every month to keep the site running and advertising is how I keep it afloat. If it were only that that easy–if you’re not careful it is possible to find yourself swindled by criminals looking to pump malware out to your site’s visitors under the guise of purchasing advertising. And by “purchase” I really mean “agree to purchase”, it’s almost certain that they won’t end up paying you (and there may be fun legal implications if you accept money from people spreading malware on your site).

The recent spat of Java vulnerabilities has shown that all it takes is a piece of Javascript code to completely own someone’s computer (the JS injects a Java applet and the Java vulnerabilities make quick work of even a 100% current patched computer). Besides your visitors having their computers hacked, it won’t take long for browser vendors to find the malware and display a warning to anyone visiting your site. This has the chilling effect of pretty much dropping your traffic to 0 over night (and by this time the scammers are long gone, leaving you to pick up the pieces).

Major sites have been hacked for this to happen, but it’s easier to just buy some advertising and immediately have your exploit delivered to millions of unsuspecting users. Sometimes it happens to advertising networks which is more frustrating because you don’t have direct control over which ads are displayed or the ability to audit code beforehand. About the only thing you can do is to pick ad networks carefully and keep close tabs on the creative they are delivering. This exact issue has caught some big name sites like Tech Crunch and Cult of Mac recently so don’t think it can’t happen to you.

Here’s what the scam looks like from a publisher’s point of view

I recently received a suspicious advertising inquiry and spent some time researching it. As you can see, if you are not careful it can be quite easy to take someone’s offer without knowing you are putting your site’s visitors at risk. Additionally, if the advertising on your site isn’t handled by a technical person you should be extra wary of new advertisers. I have removed a few bits of identifying information, but otherwise the emails are as I received them.

That sounds great, but nothing checked out

The first thing I did after receiving the email is check out their site (not linked since I don’t want to reward scammers). It is a fairly anonymous looking online shoe store. Some nice photos, but it looks like a template and nothing was rated or reviewed. The problems didn’t end there though:

  • I searched their address and it’s a mail drop in Baltimore, making me know that something is definitely not right.
  • The phone number appears to be a Verizon cell phone.
  • No details about a physical presence or who is behind the company.
  • The footer contained copyright 2010, three years out of date and since the domain was registered in December 2011 it was out of date on day 1.
  • The WHOIS information is private
  • The site’s IP address hosted other domains (not typical if this was a real ecommerce outfit) and to my surprise they all were exact copies of the Clepter site just with different and odd domains (including a .cn domain). These domains had WHOIS info and they all went back to China.
  • None of the sites have a valid SSL certificate and are using unsigned root certificates

In short we have a sketchy online store that lacks a physical presence, can’t securely sell anything and has copies of itself on strange Chinese domains. Suspicions confirmed and the Chinese angle was especially interesting since China has been implicated in tons of hacking cases lately, including ones taking advantage of the new Java exploits.

My site’s audience is especially vulnerable

Some background, my site is focused on crossword puzzles and there are still many online crossword puzzles that are delivered using a Java applet. A lot of otherwise smart tech people hear about a new Java applet vulnerability and roll their eyes because, “No one uses applets”. If that were only the case, a staggering number of people have Java applets enabled (crosswords, VPN, online banking, there are tons of uses that aren’t going away overnight). I realized that my audience is quite likely to hava Java enabled, even after all the security problems. Some vendors went ahead and disabled Java, but if you have been doing crossword puzzles for years it’s not unlikely that you would re-enable Java so you can continue with your routine. It’s just a hunch, but I think that may be why they targeted me for this faux advertising purchase.

Advertising savvy, but no doubt it’s a fake store

At this point I wanted to play along, mostly to confirm my suspicions but also to see if I could dig up enough to at least shut this scam down so that others won’t fall victim. I asked for more information about her company and received a reply the next morning.

Digging into the full headers of the email I found out that Natalie is probably named Natalia (her desktop’s hostname was NataliaPC) and is not located in Baltimore, but in the Netherlands. Or at least the email was sent from a computer based in the Netherlands, if it’s a hacking group there’s no reason to believe they would be using their own machines (or names, Natalia could just be an unsuspecting user who got compromised).

She did use the correct verbiage for online advertising though, frequency caps aren’t usually something people outside of the industry know about (1/24 means that a visitor only sees the ad once per 24 hours). This is enough to convince me that it’s not the first time they did this and that they have a level of sophistication.

I registered for the store using a Mailinator address and saw that the confirmation email subject was “Account Details for Joe at Shop” which means they never customized their store’s name (“Shop” instead of “Clepter”). Even better is the choice of payment methods:

Clepter payment methods

Thankfully the payment method is as far as you can go, the rest of the form does not work. So there we have it, someone trying to advertise a fake web store. I sent one more email to Nathalie asking if I could host the creative (thereby making it harder to switch it out for malware) and not surprisingly that was a non-starter. I cannot 100% confirm that they were planning on spreading malware, but fake businesses don’t need real advertising and the coincidence of going after an audience very likely to have Java enabled makes me believe that the plan was to use one of the new Java exploits.

Going farther is difficult because I’m not going to sign an insertion order for a campaign I don’t intend to run and the embed code I get will probably not have any malware attached (but they can change the target later on to attack my audience).

I was clever enough to see through the offer and not accept it, but all it takes is for someone else to just see dollar signs and sign up. It’s a scary proposition.

If you’re reading this, disable your Java plug-in

I use Chrome and use its “click to play” setting for plug-ins and in addition have the Java plug-in completely disabled. If you can see a Java applet by default your computer is a sitting duck. If you need applets for a specific reason I suggest using a separate browser exclusively for that reason or even better a virtual machine.

Update 04/09/2013: The plot gets more entertaining, “Nathalie” got back to me with a threat of legal action. Not a denial of claims (other than that wasn’t the real site…), just that our correspondence was confidential. Guess what, it’s not. Here’s the latest email in full:

Read the latest posts

4 Responses to “Beware of advertising scams in the age of Java vulnerabilities”

  1. Ben says:

    I just wanted to chime in to confirm that this is an active scam website owners should be aware of. I just googled in order to learn more and i’m glad i found your post to say the least.

    Thanks for writing this and thanks to google for writing such a good algorithm that it recognizes quality content every once in awhile.


  2. Peter says:

    Just came across this Nathalie Howard person who wouldn’t do any business on the phone. Email only!

    Beware of this scam. Thanks for the heads up

  3. Nina says:

    What happens when you register at the website? I did but I googled the website after and came across this website… should I take action? I did not click on the links they have sent in the ”activation” mail. But I did enter my address + fake phone numer + my spam mail account when registering.

    • JG says:

      As far as I can tell, nothing. You can’t actually complete a purchase. An eCommerce site where you can’t buy anything is a huge flashing warning sign.

Leave a Reply