M & G readers targeted by scam gang



M&G readers targeted by scam gang
13 Jan 2014 12:34 M&G Reporter

A criminal gang has been covertly targeting the M&G's online readers with a sophisticated security scam. Help us ensure they don't succeed.
A gang has been covertly targeting the Mail & Guardian's online readers with a sophisticated scam by exploiting a loophole in our security architecture. (AFP)

Since early November last year, a gang has been systematically targeting visitors to mg.co.za with a clever scam that, by exploiting a loophole in our security architecture, closely mimics a Windows anti-virus warning. When unsuspecting readers click on the "clean computer" button, they are shown a realistic (but fake) scanning process, and are then prompted to "upgrade" their anti-virus by paying a fee with a credit card. When they do so, they effectively hand their credit card details over to the scammers.

If you suspect you have revealed your credit card details to these scammers, please do the following:

Immediately cancel your credit card;
Check your most recent statement for any fraudulent activities and report them to your bank;
Contact us with the details so that we can confirm the fraud with your bank;
Check that your computer is not infected with any viruses. We can recommend some good options for antivirus systems if you need one.

How could the M&G let this happen?
We're deeply sorry that this happened and we accept full responsibility for this lapse in our security. As a major publisher we are under constant attack by hackers and scammers, all looking for an unguarded loophole to exploit. For the last two years our security has proved sufficiently tight to mitigate these attacks, but in November the criminals changed tactics.

Traditionally, hackers and scammers will target the computers ("servers") which host a website. By gaining covert access to these servers they can then use them to infect unsuspecting readers with computer viruses or fool them with scams such as the one described above. But as security has improved it has become harder and harder to break into these servers.

By comparison, online advertising services are much more open. Many of them offer self-service systems that allow advertisers to place their own advertisements. Criminals have now realised that they can use these systems to attack large publishers.

The attack works as follows:

The criminals set up a fake advertising network as a front for their activities;
They then offer to buy advertising space at market rates, either directly from publishers or via other networks. They negotiate 30 day payment terms with no intention of paying;
They use one or more self-service advertising systems to create what seem to be legitimate adverts and send code to the publisher that will pull ("serve") these adverts onto the publisher's site;
They serve the fake adverts for a few days and then replace these adverts with the scam code;
The scam automatically sends readers who fit a particular profile (normally related to the version of Windows they are using) to a site that pops up the fake anti-virus warning;
Before reports of this attack can filter back the publisher, the criminals switch the scam with the fake advert, rendering it undetectable again;
They repeat this for as long as they can before being caught.

One factor that makes this criminal activity so hard to detect is that they appear to be legitimate advertiser networks with credible corporate websites, willing to pay market-related rates to reach our readers. And by running the scam in short bursts, they dramatically reduce the chances of being caught and shut down. These are clear signs of how organised and sophisticated these criminal gangs are becoming.

Our commitment to our readers
Now that we're aware of this new vector of attack we will be radically overhauling our security practices around advertising. We will not accept anonymous ad code from self-service platforms, and we will thoroughly vet all advertisers and networks before agreeing to do business with them.

Frankly, these practices should have been in place before this attack and we apologise that they were not. We should not have been caught by surprise. The fact that other large publishers, including Yahoo, have also been duped does not excuse our lapse.

We strongly believe that we have identified and stopped these criminals, but we need your help to confirm that this is the case. If you see any virus warnings when you visit our site please immediately contact us via this online form. They may be using more than one vector of attack and your feedback will be invaluable in rooting them out if this is the case.

Once again, we apologise. If you have any questions or need any assistance, please use the same form to contact us.