Stop Ad Fraud | stopadfraud.org

Mar/10

12

In-One.eu – fake agency

Several companies have received inquiries similar to this one, from a company purporting to be an ad agency representing a US cosmetics company as AOR. The cosmetics company denies that this company represents them. here is some warning information on them:

2010-03-02 10:13:25
IP: 93.190.141.10
Natalie Portman
InOne, LLC
natalie.portman@in-one.eu
phone: 46 8 559 24 563

comments:
At the moment we have a customer (a company – manufacturer of luxury cosmetics and skin care products) who is willing to start new advertising campaign. Our monthly budget is 20,000 USD and the campaign will hopefully last for 3 months. We are ready to start.

Watch out for these guys. They wanted to serve OpenX tags (free adserver), would not provide all the creatives upfront nor would they produce any proof that they actually represented the company in question.

, , Hide

The following VURL ID’s in Right Media appear to be associated with heavy creative stacking:

3529258
4512248
6591518

They map to these websites which have very high ratios of unique users to impressions over a few day period:
thegioiphim.com
yeuphim.net

, , Hide

Over time we have seen a large variety of bad publishers applying to join ad networks – one of the most frequent tactics is to use a site template that looks functional and deep upon basic inspection, but is actually just a simple template. A year ago, there were several e-commerce sites like this, but the fraudsters probably realized that these are unlikely to make a lot of sense since ecommerce sites usually do not want advertising on them to distract from making purchases.

Thus a common type is the free games for download type of site. Here is an example of a recent site applying to an ad network.

http://www.gameairport.com/ – “free flash games”, click on one of the first games.

You will see a page with lots of empty spaces where ads are supposed to go, e.g. “300*250 Advertisement” and this will proceed further down as you are led around to lots of pages with more ad links on them. Others include:

http://www.debugscript.com

Games are not the only category for questionable sites. Travel works well too — like http://www.Siteaffiliation.com

Click down into a flight search and you’ll find a broken link. But the first two layers look like a real travel site. It’s unclear what each of these sites does or will do but there is a large number of them proliferating out there, and you are certainly seeing them get into some ad networks. If they are just SEO/arb plays that is one thing – but anyone accepting “template” sites like these into their ad network should be on the lookout to see if anything odd happens… and let us know.

, , , Hide

GamingAhead.com showed up as one of the sites seemingly part of the Web Giant Media network mentioned previously by Yahoo!

In September 2009, two verified incidents were detected that involved this website. Many of the networks who have ad tags that are hosted on URLs that look like CDN links (content distribution network) have been informed, but some of these links still have live links that point to actual current advertising campaigns. One such example is below, rotating between several ads including a Nissan Ad, and several ads for Microsoft’s search engine, Bing, as of October 11th at 9pm Pacific time (click on the image to load the URL):

nissan-tinycdn

All of this was initiated by an AdJuggler ad serving call (we called AdJuggler and had them disable this advertiser, they wouldn’t divulge who/what company it was). It then called sites like xml.cdn-businessweek.com and celebgossipnet.com before it started loading up lots and lots of hidden iframes with adcalls like:

http://iskucoeksc.cdn.tinycdn.com/gamingahead_redux300.html
http://iskucoeksc.cdn.tinycdn.com/gamingahead_redux728.html
http://iskucoeksc.cdn.tinycdn.com/Gamingahead/cpx300.html
http://iskucoeksc.cdn.tinycdn.com/Gamingahead/cpx728.html
http://iskucoeksc.cdn.tinycdn.com/gamingahead_realmedia728.html

Here is a CSV file of the log of the several hundred ad calls — and some similar patterns to other previous attacks can be seen here. Many of the same large networks targeted in other frauds including some newer ones like Rocket Fuel.

One of the networks contacted did actually given out the payment information for the GamingAhead publisher, which was as follows, a mail-drop in Scottsdale, AZ with pay-to information for Publisher Direct Networks whose domain name is on the same server as GamingAhead.com:

Publisher Direct Networks

3370 N. Hayden Rd #123 PMB278

Scottsdale, AZ

Note the above payment information provided by one was confirmed by two other ad networks who were informed of this fraud and shut this publisher down.

Finding fraudulent publishers is difficult for networks and advertisers alike. GamingAhead.com seems like a legitimate publisher. While their traffic patterns on Quantcast were up and down, which usually means they were buying traffic and don’t have a lot of organic traffic, they were not completely with zero traffic (another bad sign). The site isn’t a cut-out template indicative of some other types of offshore fraud. The links between people working at Publisher Direct Networks / GamingAhead and the aforementioned sites/company Web Giant Media, including celebgossipnet.com are established in a variety of pieces of information available online:

http://www.gamingahead.com/news/126/

http://www.linkedin.com/profile?viewProfile=&key=22446345

http://www.classmates.com/directory/public/memberprofile/list.htm?regId=8702690189

The following references celebgossipnet.com and relates to the Vizi incident from before, and is from a person who appears to be a convicted felon in AZ with the same last name as the person above.

, Hide

In July 2009, two companies separately encountered a large-scale impressions fraud that involved two websites, MyProfilePimp.com and MyWackoSpace.com

The two sites appear related, as a reverse-IP lookup on MyWackoSpace.com led to a list of sites hosted on the same server that included MyProfilePimp.com. Update:  Note that MyProfilePimp was mentioned in an article in the Wall Street Journal in October 2009 called “Web Ads Hidden under Cloak of Invisibility”, as follows:

Mr. Edelman, who trolls the Web for examples of invisible ads, says ads for Kraft Foods and Greyhound Lines recently ended up buried on invisible pages on a site called MyProfilePimp.com, which offers games, photos and other ways for consumers to personalizetheir profile pages on social-networking sites like Facebook. Mr. Edelman says a visit to the site in June opened a series of invisible pages on the visitor’s computer with as many as 46 ads. He says none of those ads could be seen.

MyProfilePimp.com declined to comment.

It appears that a company or companies associated with MyProfilePimp.com and MyWackoSpace.com would go out and purchase media from online advertising companies in order to drive traffic to their nested iframe ads, which in turn would contain advertising tags from dozens of different advertising networks including video advertising networks. Here is the reverse-IP list of sites on the same server as MyWackoSpace.com:

blingfun.com
iwasfatnowimnot.com
kevinsmoneytree.org
myprofilepimp.com
myprofilepimp.net
mywackospace.com
womenshealth-resv.com
www.5000layouts.com
www.blingfun.com
www.commenthits.com
www.commentsgeek.com
www.commentsheaven.com
www.commentsplanet.com
www.custommyspacecomments.com
www.damage.myprofilepimp.com
www.dundoo.com
www.flashtoys.myprofilepimp.us
www.flashylayouts.com
www.flashymp3.com
www.hdmovement.com
www.jamesmakesmoney.net
www.kevinsmoneytree.org
www.layouthits.com
www.layoutjungle.com
www.mycustomprofile.com
www.myflyprofile.myprofilepimp.com
www.mymackspace.com
www.myprofilepimp.com
www.myspaceretrolayouts.com
www.myspacetotal.com
www.mywackospace.com
www.pickagrant.com
www.pieceofmind.net
www.remixlyts.com
www.revolver-lyts.net
www.sarasweightlossdiary.com
www.womenshealth-resv.com

The scenario of hundreds of ad calls resulting from a single purchased impression occurred on at least 5 different occasions between July 12 and August 1st. Many if not all of the individual ad networks involved were contacted about the situation and many of them removed the offending publisher(s) from their networks. When the company who had first discovered the issue asked the individual firms to provide the name of the publisher, or contact or payment information for the publisher, they all declined stating confidentiality that they had with these publishers. What seems really ridiculous is that any kind of confidentiality could persist in the face of strong evidence of fraudulent contact such as this.

The activity was initiated by an ad purchased by Bootcamp Media on AdECN, the ad network platform now owned by Microsoft. Bootcamp Media‘s adserving was the serving URL (ads.bootcampmedia.com – a CNAME for an implementation of AdJuggler given the url formation, in this case http://ads.bootcampmedia.com/servlet/ajrotator/738508/0/vj?z=BootCamp&dim=337128&pos=1&pv=4184997196649422&nc=835224451) – the fraudulent company was likely buying ads from Bootcamp, who when contacted by would not provide any information about the identity of the buyer of the media.

The attachment below is the full URL capture from this incident consisting of over 1450 HTML calls, captured on August 1st, 2009 – this originated from a single ad call (Beware! the only reason this log ended was because the last two URLs lead to spyware which attempted to infect the capturing computer, and thus the stream was stopped). There are dozens of networks, adservers, ad exchanges and companies in this list, including CPX Interactive, Fox Networks, AdBrite, Pubmatic, Google/Doubleclick, AdNexus, Right Media, Zedo, AdJuggler, Collective Media, RealMedia, Burst Media, Traffic Marketplace, Aqua Media Direct, Media6Degrees, AdBuyer.com, AdNet Interactive, Rubicon Project, Adtegrity and more.

Here is the file: fraud-0801-log (CSV)

Many of the above companies were able to be contacted and took swift action to shut down these publisher(s) to prevent them from continuing what they are doing. The companies who discovered the above issue had no revenue connection to the above situation but were unsuccessful in endeavoring to confirming the identity of the publisher/advertiser that had initiated this fraud. They did have their suspicions, however…

, , Hide

One of our participating partners discovered some problem links that had affected a number of ad networks and with the help of Yahoo!’s Right Media division, tracked it down to a group of sites run by a company (according to Yahoo!) known as “Web Giant Media“. This was provided by them in an email on April 1st, 2009:

“these are some of the web giant media network:

swi-adserver.com
adserve-gamingahead.com
search-adlinks1.com
search-adlinks2.com
search-adlinks3.com
search-adlinks4.com
search-adlinks5.com
search-adlinks6.com
search-adlinks7.com
search-adlinks8.com
search-adlinks9.com
search-adlinks10.com
search-adlinks11.com
search-adlinks12.com
search-adlinks13.com
search-adlinks14.com
search-adlinks15.com
celebgossipnet.com
divabuz.com
gamingahead.com
goseekonline.com
kwuul.com
trashypretty.com
Musicane.com
WorldStarHipHop.com
Realitywanted.com
Webgiantmedia.com
Extreme-sportsonline.com
Gamershackshack.com
ihiphop.com
streetread.com
styleburst.com
indiecribs.com
lifestylenfashion.com
asksearchinfo.com
tabrio.com
kytooz.com”

, , Hide

Find it!

Theme Design by devolux.org