Native ads, a race to the bottom for online media

Over the past year you will have seen a steady increase of so-called “native ads” while reading articles online. You know, those half dozen or more links with pictures to what at first looks like other articles recommended by the publisher. Only, they are really outside links. Many are click-bait ads, with pictures and headlines designed to grab your attention. They are introduced with tags like “From the web” or “Promoted stories”. The small print will mention companies like Outbrain, Taboola or Revcontent that place the ads in the space that they rent from the website owner.

At best, the advertised content doesn’t live up to the attention-grabbing ads. At worst, the advertisers try to sell you something utterly worthless through deception and lies, including miracle weight loss, anti-aging and anti-Alzheimer pills or promises of jobs that make thousands of dollars a month with no special skills required. Many of these offerings involve recurring credit card charges that are very difficult to get out of.

So why have reputable publishers like the Washington Post, Newsweek and The Atlantic embraced “native ads” on their websites? The answer of course is money. As the Internet grew, print advertising revenues have been collapsing for traditional media as much of the ads have moved online. What’s worse, with Google Adsense and Facebook ads, traditional publishers now have to compete for eyeballs against an almost unlimited number of websites and SNS, making it very hard to replace print ad revenue with online ad revenue. Companies like Outbrain and Taboola (both based in Israel) and RevContent (based in Florida) are offering better rates to site owners, but they can only do that because they seem to have few ethical problems selling anything that makes money.

Back in the 1990s I used to read High Times, which always carried pages of “fake pot” ads. The description for these products might lead naive readers to think that these legal products offered some of the effects of illegal marijuana, but it was really just bullshit and the High Times editors knew that. Their dilemma was that Congress had passed anti-paraphernalia laws that discouraged their traditional advertisers (e.g. for glass pipes) from advertising and the “fake pot” scammers were ready to fill the gap. When rival magazine Cannabis Culture pointed out the hypocrisy of High Times helping to defraud their readers, one of the editors offered an excuse along these lines: “If you don’t like these ads, why don’t you buy that advertising space yourself?” It’s not quite as simple as that.

While every business needs revenue to survive, I think ultimately, accepting money from unethical sources such as scammers does undermine your credibility. Gradually, more and more consumers will realize these “promoted stories” and “sponsored content” are nothing but deceptive junk. Taking money from these advertisers is a devil’s bargain that will damage the reputation of sites running unethical ads. If readers of reputable news sites lose faith in them, what will they have left that distinguishes them from fake news sites?

PayPal malware social engineering

I instantly got very suspicious when I received this from PayPal today:

Hello [my name here],

Colin Neal would like to be paid through PayPal.

Note from Colin Neal: Good afternoon. There was a pay of 200$ from my wallet on your wallet , as if I bought smth from you on Ebay. But I didn’t do this. It must be a mistake. Write me on kcsystems1@gmail,com i’ll send you the copy of invoice. Sorry to disturb you.

Details

Request Date: November 29, 2016
Requested Amount: $200.00 USD
Your Email Address: [my PayPal email address]

Click the button below to send Colin Neal your payment and see the details of this money request.

[ Pay now! ]

Of course I did not click on the “Pay Now!” button, but looking at the email header, the mail was actually sent via PayPal’s mail servers!

I logged into PayPal from scratch on another machine by typing in the PayPal domain name and verified that there was indeed a money request for $200 in my PayPal account. However, it came from a random looking Gmail address, “pvbkrngkjqo@gmail.com” and not the address I was told to contact. Even more suspicious than the first email!

So I fired off an email from another mail account (not my PayPal mail account) to “kcsystems1@gmail.com” and explained that I had not received any funds and that this must be a scam. But as suggested in the initial message, they then sent me a link to an “invoice”:

Good afternoon. This is a copy of invoice.
https://paypal.com/user/files/paypalInvoice_000092419298377.doc

Looking forward your reply. Thanks.

Looking at the actual target of the link, it pointed at a completely different location:

http://myotaku.com.my/system/helper/json/paypalInvoice_000092419298377.doc

When I downloaded it using a secure tool and submitted it to VirusTotal.com, six of the tools consulted detected it as malware:

AVware LooksLike.Macro.Malware.k (v) 20161130
Avast VBA:Downloader-DSH [Trj] 20161130
Fortinet WM/Agent.CBW!tr 20161130
Qihoo-360 virus.office.gen.85 20161130
Symantec W97M.Downloader 20161130
VIPRE LooksLike.Macro.Malware.k (v) 20161130

This scam uses a clever bit of social engineering. The original email comes from a real PayPal server, a trusted source and it doesn’t include any malicious links or attachments.

By getting you to initiate contact with the malware scammer, the subsequent reply with its malicious link will arrive from an email address that you have previously contacted, which will subject that email to less severe filtering. This makes it more likely the malicious link goes through.

Always be alert to how scammers set up mail exchanges where malware will only arrive after several steps specifically designed to defeat filtering. For example, they may contact you first to ask for a quote and then email you what is supposed to be an order, but is really malware.

Domains hijacked by fake brand spammers

Spammer who set up fake websites offering brand name products to sell counterfeit merchandise or to steal credit card details of would-be buyers often hack third party websites to host ads and shopping websites on them.

On top of that we’ve also come across many cases of them taking over control of existing domains, whose names then don’t make any mention of the brands being offered.

For example the domain “itelekom.net”, which currently hosts a site selling Nike shoes, has been around since 2004 and apparently was previously owned by a telecommunications company in Nigeria. Looking up its current ownership using WHOIS, it still has a 2004 creation date but appears to be owned by someone in China:

[CODE]Domain Name: ITELEKOM.NET
Registry Domain ID: 119763324_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2014-06-22T11:19:59Z
Creation Date: 2004-05-11T08:50:26Z
Registrar Registration Expiration Date: 2015-05-11T08:50:26Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID:
Registrant Name: gina zipperian
Registrant Organization:
Registrant Street: pu tian
Registrant Street: fu jian
Registrant City: fujian
Registrant State/Province: jiao wei
Registrant Postal Code: 351253
Registrant Country: China
Registrant Phone: +86.15860339007
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: 157505829@qq.com
Registry Admin ID:
Admin Name: gina zipperian
Admin Organization:
Admin Street: pu tian
Admin Street: fu jian
Admin City: fujian
Admin State/Province: jiao wei
Admin Postal Code: 351253
Admin Country: China
Admin Phone: +86.15860339007
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: 157505829@qq.com
Registry Tech ID:
Tech Name: gina zipperian
Tech Organization:
Tech Street: pu tian
Tech Street: fu jian
Tech City: fujian
Tech State/Province: jiao wei
Tech Postal Code: 351253
Tech Country: China
Tech Phone: +86.15860339007
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: 157505829@qq.com
Name Server: NS47.DOMAINCONTROL.COM
Name Server: NS48.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/[/CODE]

We suspect that that phishing and malware were used to enable a domain transfer away from the legitimate owners to the scammers. Having to reinstall your PC to get rid of a malware infestation is one thing. Losing an established domain that you spent years promoting on the web is another.

Protecting yourself from phishing and malware is more important than ever.

1-718-709-7573 Phishing Scam

Going through some spam traps, I found I received a fake IRS e-mail today that was a phishing scam. It included a fake W-8BEN form as a PDF to fill in and to fax to a number listed on the form.

When I googled the fax number (1-718-709-7573), I was amazed to see that the same scam had already been written about on other websites six months earlier. I rang the number from a Skype account and heard the unmistakable sounds of a fax machine.

Presumably this means that the phone number still hadn’t been shut down after half a year.

Somebody is making it too easy for criminals.

xpatjobsde.com money mule scam

If you have recently received an email like the following:

Wir begrüssen Sie und möchten ihnen die Zusammenarbeit mit unserem Team anzubieten und erzählen über unsere Arbeitsbedingungen.
Erstens sollen Sie keine Beitrage einrichten um bei uns zu arbeiten.

Das ist eine gute Gelegenheit für die Rentner, Frauen im Schwangerschaftsurlaub,
oder für diejenigen, die von den Stressen, der Hektik und der Konkurrenz loskommen möchten,
oder für diejenigen, die eine Möglichkeit suchen, Teilzeit zu arbeiten und zusätzliches Geld zu verdienen.
Sie können ihre Arbeitszeit von 2 bis 8 Uhr variieren.

Ihr Gehalt beträgt 3000 Euro und Bonus.( Es hängt von den Arbeitsstunden ab)

Wir arbeiten von Montag bis Freitag von 09.00 Uhr bis 18.00 Uhr.
Für weitere Information schreiben Sie bitte uns per E-MAil:Markus@xpatjobsde.com.

Do not reply to such emails. This is a German version of a money mule recruiting scam run by phishing gangs. Other related domains are careerbuildereu.com, jobseurop.com, lavoroit.com, gogreecejob.com, usacareersorg.com and usajobsnow.com, which target people in various countries in Europe and the US.

People who respond will be recruited to receive payments in their bank accounts, withdraw the money and to forward the cash to recipients abroad. The wire transfers to their accounts will be made from bank accounts owned by people who have fallen victims to phishing scams. When they notice that money has gone missing they will alert their bank, which will usually reverse the (unauthorized) transfer. At that point the recruited individuals will be out of pocket, as they will end up owing money to their own bank. The ultimate victims of phishing gangs tend not to be the owners of hacked accounts who often get their money back, but the people tricked into forwarding the stolen funds, as they are the last person in the chain who can easily be held responsible.

Never accept job offers arriving via spam. Never accept job offers that involve any forwarding of payments!

Beware of product quote phishing scams!

A new type of scam is become more common, in which criminals use requests for a quote to trick businesses into handing over passwords. They do this by providing a link to a site that supposedly holds details of the products they want a quote for, which requires a login using an e-mail address. Here is an example:

Date: Sat, 30 Mar 2013 15:04:07 +0100
Subject: Please send us your data sheets and your price list regarding this product.
From: “Agung .” <agung.suryagungfuniture@gmail.com>

Dear sir/madam,

We are interested in the purchase of your products and services. we want to make order from your company and we are urgently in need of these products. You are advised to log in into our site to view the photos and specifications of the exact products we need ASAP and kindly tell us the cost of the products and the FOB to Durban, Sea Port.

Copy and paste the link to your http://anhuifuhuangimportexport.yolasite.com

NOTE: You can only view this product page if you carefully log in with your exact email and password you are using to communicate with us, as our need products specifications and designs is exclusively for our Company and has been protected for our exclusive right to protect our business.

We earnestly await your swift response to enable us to make deposit payment so that you can start the production immediately.

Kind regards,
Director of Operation

You should never enter the password to your e-mail account (or other passwords such as for Facebook, Google, Amazon, eBay and PayPal accounts) on a site other than the proper website of the service. Furthermore, you should only enter the password on pages protected by SSL (padlock icon visible in the browser, URL starts with http://). Scam sites typically are not SSL-protected.

OTC Pump and Dump scams: PacWest Equities (PWEI)

Another stock is being spammed by pump & dump scammers. Never buy stocks advertised by spammers!

Example:

This Chart is an Absolute Bull! You`re Going to Get it First!!! This
Stock Closes Green for Third Straight Day!

Trading Date: March 29th
Company Name: PacWest Equities Inc.
Tick: P W_E I
It is now: .2326
Short Term Target: .65

This Company is our Low Float, Big Bounce Opportunity for Today. This
Stock is on High Alert for Today!

Example:

It Surges Ahead on Elevated Volume! This stock could be a possible Buyout
Candidate!

Trading Date: Fri, March 29th
Company: PacWest Equities Corp
Stock: PWE_I
Last Trade: $0.2326
Target: $0.75

This company is on the brink of a Big Breakout. More gains coming this week!

Example:

It is in the green and should keep moving up tomorrow! Special
Report (Read Inside)!!!

Trade Date: Mar 29th
Company Name: PacWest Equities Inc
Symbol to buy: PW_E I
Last Trade: $0.2326
Short Term Target: .50

High Alert Today! Stock Profile!!!

UPDATE: New OTC scam using shares of “Liberty Coal (LBTG)” on April 15, 2013:

Great news for L B T_G – Liberty Coal – that will deliver huge
returns!!!

Takeover offers are back on the table that will boost L B T_G
prices up to the $.20 – $.30 range. Right now L B T_G is
selling for a very low price, so the money to be made is
amazing! Even Management want to acquire L B T_G because of
their enormous coal find that can bear shale oil. Don’t
hesitate if you want to earn big on this take over before it
gets out to the rest of the public! Buy all the L B T_G you
can afford on Mon, Apr 15.

Another one:

Breaking intelligence for L_BTG – LIBERTY COAL ENERGY INC – that
will turn a quick profit.

Buyout plans are going ahead fast that will drive L_BTG shares up
to the $.20 – $.30 range. Right now L_BTG is selling for pennies,
so the money to be made is huge! Competitors want to buy out L_BTG
because of their seemingly unlimited coal reserves that can draw
out shale oil. Take action now to earn big on this buyout prior to
other investors. Buy all the L_BTG you can possibly get on Tuesday,
April 16, 2013!

Another one:

Why PetroChina should acknowledge in S CX N? ExxonMobil captures
$14 Bill after Arkansas Oil Spill. GP will implement S CX N
solution. Lawmakers to lift the current restrictions vs huge
Oil. As buyers we could benefit from Big Oil, while decrease
tomorrows hazard. Assist large Oil remained responsible by
owning S CX N on Monday Apr 29.

Another one:

Attention headlines for G T R L!!! Films will be treated akin
capital investment by Bureau. BEA is substituting counting federal
revenues. A film can be purchased time after time be could analyzed
as a financial vehicle it shall be valuated after so the stock
price shall grow. Show firm G T R L could be bought more then a 3
USD.

Name: Get Real USA
Stock Symbol: G T R L

This analyzing bill is not void yet, add now buy 7000 stocks of G T
R L on April, 29!!!

Another one:

Acquire a abrupt 50% with B Y S_D!!! Reasonable at barely 0.01!!! Only a
fraction of a cent! Bayside Petroleum Corp. (B Y S_D) guaranteed to burst.
Set your order right now!!!

OTC Pump & Dump scams: County Line Energy Inc (CYLC)

County Line Energy Inc (CYLC) is the next OTC stock being pushed by “pump & dump” stock scammers. Beware! Spammers advertise stock because they want to sell theirs, not because it’s a good idea to buy it (it is not).

Here is a spam sample:

This is our newest award winning pick, be sure to act fast! Exciting
New Trade with Increasing Sales.

Trade Date: Mon, March 18th
Name: COUNTY LINE ENERGY INC.
Stock Symbol: C_Y L C
Last Trade: $0.019
Target: $.15

It is our Day-Trade Bounce back Play. This Company is unique!!!

Other stocks spammed by the same scammers recently: Pengram Gold Corp. (PNGM), GOLD & GEM STONE MINING, INC (GGSM) and Microelectronics Technology (MELY).

See also:

OTC Pump & Dump scams: Pengram (PNGM)

Pump and dump scams are investment scams in which a scammer acquires stock (usually of little known OTC stocks), then drums up demand (often via spam emails) and offloads their stocks at inflated prices.

Steer clear of any stock promoted via spam: Their prices will collapse no later than when the spamming stops and people realize there are no other buyers. Such stocks can become near impossible to sell. In any case, a buyer will have lost most of their investment.

One such stock currently being promoted is Pengram Gold Corp. (PNGM). The spamming started around March 9, 2013 and trading volumes went up in the next couple of days.

Here is a spam sample:

Pre Announcement! Major Momentum is Brewing for This Beast.

Trade Date: Thu, Mar 14th, 2013
Company: Pengram Gold Corporation
Trade: P NG_M
Closed Price: .027
Long Term Target: $0.20

It Releases Breaking News! Our New Pick Under A Penny!!!

Right up to that day and from one week before, they had been spamming stocks of GOLD & GEM STONE MINING, INC (GGSM):

Morning Dip spells Big Opportunity. It Should Continue Upward
Trend!

Date: March, 4
Company Name: Gold and GemStone Mining, Inc
Tick: GG SM
Latest Pricing: .017
Short Term Target Price: 0.35

You Need To Read This Story. This week is going to be even
better than the last.

From Feb 17-21 it was stock of Microelectronics Technology (MELY):

This Stock Continues to Climb!!! We are on fire..

Trading Date: Tue, February 19th
Company: Microelectronics Technology
Ticker: M_ELY
Closed at: $0.0163
9-Day Target: 0.10

It continues soaring! Are you missing out? Building a strong
support for a push higher!

It only takes the scammers a couple of days to unload their existing stock, then they start promoting the next one.

Occasionally the US Security and Exchange Commission (SEC) will suspend stocks involved in such trading patterns, as it did in 2011, to protect potential buyers from being scammed.

Garcinia Cambogia weight loss spam from hacked Yahoo accounts

I’m seeing another round of weight loss spam that abuses third party Yahoo accounts for sending. It is similar to the earlier “Raspberry Ultra Drops” weight loss spam that also used compromised Yahoo accounts.

Here is one of the advertised domains, which is hosted on many different servers:

biggsetfatburningsecret.com. 1439 IN A 91.207.7.134
biggsetfatburningsecret.com. 1439 IN A 94.75.193.33
biggsetfatburningsecret.com. 1439 IN A 94.75.193.38
biggsetfatburningsecret.com. 1439 IN A 142.0.79.134
biggsetfatburningsecret.com. 1439 IN A 142.0.79.140
biggsetfatburningsecret.com. 1439 IN A 176.53.119.24
biggsetfatburningsecret.com. 1439 IN A 176.53.119.27
biggsetfatburningsecret.com. 1439 IN A 176.53.119.68
biggsetfatburningsecret.com. 1439 IN A 176.53.119.69
biggsetfatburningsecret.com. 1439 IN A 198.144.156.42
biggsetfatburningsecret.com. 1439 IN A 199.116.117.166
biggsetfatburningsecret.com. 1439 IN A 199.127.98.117

The domain is registered through Ukrainian registrar ukrnames.com using forged WHOIS contact details.

The buy link on that site redirects to authenticgreencoffee.com, a domain registered last July, with the owner hidden behind a WHOIS proxy.

Other domains hosted on the same servers, some of which are part of the “Work from home mom” scam series:

bestfoodsforburningfat1.com
biggsetfatburningsecret.com
biggsetweightlosssecret.com
bigjim-foods.com
blogprogramflatstomach.com
blogquickprogramdiet.com
burnfatinfewdays.com
dietsforburningfat.com
eatingplansforweightloss.com
getflatstomachtoday.com
getweightlossandburnfat.com
icbs-news.com
icm-news.com
ircnn-news.com
losingweightrapidly.com
mnc-news.com
myscecretweightlosssolution.com
neverseeweightlossagain.com
plantipsflatstomach.com
plantodayflatstomach.com
rapidweightloss-blog.com
realmenshealthblog.com
revolutionarydiet2013.com
revolutionarydietformula.com
revolutionarydietloss2013.com
revolutionarydietsolution2013.com
revolutionarydietsolutions.com
revolutionarydietweightloss.com
revolutionarydietweightloss2013.com
revolutionarydietweightlosssolution.com
revolutionarydietweightlosssolution2013.com
revolutionaryfatburning.com
revolutionaryfatburningformula.com
revolutionaryfatburningmethod.com
revolutionaryflatstomachsystem.com
revolutionarynaturaldiet.com
revolutionarynaturalweightlosssystem.com
revolutionaryweightloss1.com
revolutionaryweightloss2013.com
revolutionaryweightlossdietplan.com
revolutionaryweightlossdietsolution.com
revolutionaryweightlossdietsolutions.com
revolutionaryweightlossplan.com
revolutionaryweightlosssolution.com
secretultrafastdiet.com
solutionflatstomachsecretsnow.com
solutionflatstomachtoday.com
solutionwithweightonline.com
thebigjim.com
tipsflatstomachquick.com
tipsflatstomachsystem.com
tipsprogramflatstomach.com
todayblogflatstomach.com
todayflatstomachblog.com
todayflatstomachquick.com
todayquickflatstomach.com
ultrafastsecretsdiet.com
weightlossgreatnews.com
weightlossthatworkisnotmagicpill.com

The “work at home mom” scam series also used hacked Yahoo accounts for advertising websites that are made to look like network TV news sites, so these scams are probably related.

The spam senders are often abusing mail interfaces meant for mobile phones. The Yahoo message IDs of the spams contain some of these strings:

.androidMobile@web
.BPMail_high_noncarrier@web
.BPMail_high_carrier@web
.BPMail_low_noncarrier@web
.BPMail_low_carrier@web

Probably “.androidMobile” is for use by the Yahoo Mail for Android app, though the spam is not necessarily sent from Android phones. More likely it is just using the servers provided for Android, but accessing from a PC.

The “BPMail” IDs are an interesting one. I suspect the “_noncarrier” variants involve IP addresses not connected to one of the phone carriers that bundle Yahoo mail with their service, while the “_carrier” variants mean the IP address is part of the provider’s address pool, though it could be used by a PC accessing via a wireless broadband modem.

“High” and “low” could be an internally assigned spam rating, though that is mere speculation. However, “.BPMail_high_noncarrier” is the most common Google hit of these 4 that comes up when searching for information about this type of spam. When investigating a pool of spam samples, this was the order of declining frequency: “.BPMail_high_noncarrier” was by far the most frequent, followed by “.BPMail_high_carrier” and finally relatively small numbers of “.BPMail_low_noncarrier” and “.BPMail_low_carrier”.

The spam recipients (common numbers: 1, 3, 9 or 10) tend to include the last addresses the legitimate owner of the Yahoo account has emailed. So perhaps the spammers are harvesting email addresses from the “Sent” folder of the Yahoo account after gaining access to it.

I find it amazing that Yahoo has yet to find a away to close the vulnerability that allows this spam and fraud to continue, despite the months and years since it was first observed.