If you run a business or know someone who runs a business please share this to help prevent others from becoming a victim.
Businesses that depend on advertising revenues to operate, should keep reading so that your company does not fall prey to a new type of scam.
First I would like to say I am not one to easily be scammed. Most of the scams you hear about these days usually end up with a request at some point for you to send money to the scammer. The most well-known scams come from someone based out of Nigeria, where they claim they have millions of dollars they need to get into the United States (or another country), and they need your help. For your help, they will give you a large percentage of the money they are trying to get there. At some point, they will need you to pay thousands of dollars to help get the money there, which is a small amount compared to the millions you will receive. Many have fallen victim to this, and the scammers run off with your money in the end.
A Sophisticated Scam Targeting Advertising
What I believe is a new type of scam involves Google AdSense or any other advertising network that pays its publishers. Scammers will sign up for these services and pretend to be legitimate publishers serving ads. This is a critical step for the scammer as it will be their primary source of being paid. The rest basically involves impersonation and a bait-and-switch scheme targeted at other companies or websites.
As you may or may not know, Ozzu's primary method for bringing in revenue is by displaying ads to its visitors. This pays for everything from server costs to domain name fees, and employee salaries. This is the bare minimum required to be able to keep Ozzu a fully functional website, with continued development, new features, and improvements always taking place.
On a typical day, Ozzu, and many other popular websites, will receive advertising inquiries to get another company's ads placed on the site. Depending on the circumstances, an agreement may or may not be made between the companies for ads to be placed. This usually depends on many factors including what sort of audience you have, CPM rates (cost per 1000 impressions), and payment terms. Also depending on the size of the request, a contract called an insertion order may be created and signed by both parties. It is common practice in the business industry that services are performed before being paid and once the services have been completed an invoice is sent out. Common terms include Net 10, Net 15, Net 30, and Net 60. Basically, these are all forms of trade credit where the total outstanding on an invoice is expected to be paid in full within 10, 15, 30, or 60 days. When agreeing to terms such as this with a new company, it is recommended that you do further checks into the company to make sure everything seems legitimate. This includes getting a credit check on the company, trade references, and background checks.
These bad guys are intelligent, they run a complex scheme, and understand the advertising process and how to secure their ads on other websites. In our case, they impersonated a popular website called Gilt, which sells discount luxury items. When they contacted us they said they were interested in advertising on our website and after further discussion, they revealed they had a good sized advertising budget for which they could buy our ads for all of the third quarter. They negotiated with us on terms, and finally, we came to a mutual agreement. We initially requested payment be made in advance, but they asked for different terms of Net 30. At that point, we did credit checks on Gilt, researched them on Dun and Bradstreet, and some basic checks to see if everything seemed to be legitimate. From what we could tell, Gilt was a legitimate company that paid their bills, and there was no reason to doubt that it would not pay the advertising dues. We created an insertion order, and both parties signed the contract.
Clues We Missed
In hindsight, there were little clues that we overlooked into what was really going on here. Their scheme is really brilliant in the sense that no major red flags are waving in your face because they aren't asking you for any money, but instead just want to show ads on your site. This is a common thing that happens all the time, and we have served ads for all sorts of companies. Everything seemed like business as usual. Here are clues that we missed or overlooked:
- The type of audience Ozzu has probably isn't the best for a company like Gilt.
- Emails came from giltcompany.com, instead of gilt.com.
- Once ads started showing, no further correspondence took place.
- Good-sized bait (the ad budget they had).
- The CPM rate they agreed to, without any counter offers.
- Giltcompany.com was registered within the past one to two years.
- Giltcompany.com was hosted on different servers than Gilt.com.
- No way to determine if these guys really represented Gilt.com.
- They requested a frequency cap of 5 impressions per user.
Their IP address: 72.62.110.146, was gathered from the e-mails sent back and forth via nsanderson@giltcompany.com originated from the United States. All of the documents they sent us, including trade references, EIN numbers, etc., all made things seem even more legitimate. Still, there were these small flags that we chose to ignore and overlook. None of it was a blaring red flag, and our focus continued to be on the integrity of Gilt Groupe, Inc., instead of the legitimacy of the source of the request.
The final, but not-so-apparent giveaway that brought all of the clues together was when we no longer saw the Gilt ads being displayed. Initially, it was ignored due to the fact we had a frequency cap of 5 in place for ads being shown. What that means is after 5 ads are shown for a specific visitor, no more will be served, and instead, any remnant ad inventory is served. So it was somewhat normal for us to visit our own site and see other ads because we had already seen the ad 5 times that day. This can easily be overlooked. At one point I remember thinking that I haven't seen a Gilt ad for a while, so I thought I should look into it. I did, and the campaign seemed to be operating normally. I simply thought I must have loaded the site earlier that day and 24 hours hadn't passed yet to see the ads again. This went on for a few days before I really started to get curious. I then took their ad code and loaded it directly to see what ads were being displayed, and instead of Gilt Ads, regular Google AdSense ads were being loaded?! After double checking it was not a technical bug on our end, the ad code they had provided us via adbutleradserver.com was now showing the following:
google_ad_client = 'ca-pub-8910884727655049';
google_ad_slot = '6961810018';
google_ad_width = 300;
google_ad_height = 250;
document.write('<scr'+'ipt type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js" ></scr'+'ipt>');
document.write('<scr'+'ipt type="text/javascript" src="http://tag.remnantize.com/tags/RON/144.js"></scr'+'ipt>');
Some Final Thoughts
Our theory is that the scammers wait for a small period of time since ads started and silently switch to ads that they can make money from, hoping the victim won't notice. Having the user frequency cap in place helps their situation because it would only be common to see their ads a few times a day if you regularly visit the website. In this case, they switched the Gilt Ads to start showing their AdSense Code. Here is where they start stealing money from us, without us having to pay them directly. They will never pay us, we lose our advertising revenues, and instead, our potential revenues get redirected to them via their Google AdSense publisher account. So for our remnant advertising, instead of Google paying us, Google pays the scammer unless we can convince Google otherwise. We are in the process of contacting Google hoping the scammer will lose their account and all of the stolen revenues with it. Likely they have stolen from many other websites, not just ours.
At this point, all I can hope is that by writing this someone in the future will not become a victim of this business scam. Look at every single detail of the advertising inquiry, and if anything seems weird or doesn't completely add up, question it. Do not just brush it aside if everything else still seems legitimate. Don't take credit checks, trade references, or anything else supplied for granted. Look at every single detail and make sure addresses match up, telephone numbers work and represent the company, and absolutely make sure that you are dealing with the company's real domain or another property they own. If anything seems out of place dig deeper, in the end, it will be worth it. For us, lessons learned the hard way, for you, hopefully, you will already be ahead in the game to make better decisions.
What to do if you have already been scammed
If you are like us, and it is already too late, you might be asking what you can do at this point. Unfortunately, the chances of you recovering any of the losses are probably near zero. The chances of you tracking down the person or group who scammed you are also difficult since they are likely using false names. Your greatest hope is that the thieves will be caught and justice will eventually be served, and they will be sent to prison. It is important for you to report these incidents to the authorities. If you are located in the United States, you should report the incident to a number of agencies including:
- Your local law enforcement office
- FBI IC3 (Internet Crime Complaint Center) - http://www.ic3.gov/complaint/default.aspx
- Possibly the FTC (Federal Trade Commission) - http://www.ftc.gov
A good resource that provides all sorts of information involving fraud in all shapes and forms is:
https://www.usa.gov/stop-scams-frauds
You should also contact parties involved in the scheme, from who they are impersonating (identity theft), to where they are earning their money. In our case we are reporting the incident to our local authorities, the FBI, Google, Gilt, HostWinds (their web host), and Sparklit (their 3rd part ad server).