Ads--the new malware delivery format

Instead of hacking into major online sites to embed malware, malicious hackers are going in through the front door by exploiting security holes in systems for delivering ads.

It happened just days ago, for instance, to the Web site of The New York Times. The newspaper company informed readers on Sunday about a rogue ad that was popping up on its site. The ad warned visitors to NYTimes.com that their computer may be infected with a virus and redirected them to a site that purports to scan the computer and offers to sell antivirus software.

This is common behavior for what is known as fake security alerts, or "scareware," designed to trick people into paying for something they don't need. Use of this type of scam is on the rise.

Typically, the site hosting the rogue alerts has been compromised, or a worm, like Conficker, distributes the alerts directly to computers.

On his blog Input & Output, Seven Scale CEO Troy Davis offers an analysis of the scareware ad that appeared on NYTimes.com.

(Credit: Troy Davis)

By sneaking fake ads onto a high-profile site, the scammers are likely to net more victims than by targeting smaller sites.

"I think there is a problem with ad networks, in general," said Graham Cluley, a Sophos security researcher. "The problem really is with Web sites handing over control of some of their content to third parties."

The rogue ad on NYTimes.com was delivered by an unknown ad delivery firm after the newspaper agreed to run an ad for a week from a company posing as Internet telephony provider Vonage, according to New York Times spokeswoman Diane McNulty. Initially, a legitimate-looking ad was running, but that was switched with the fake antivirus alerts, possibly on Friday, she said.

"In the future, we will not allow any advertiser to use unfamiliar third-party vendors," McNulty is quoted as saying. (McNulty did not respond to e-mail questions posed by CNET News on Monday and Tuesday.)

Several news organizations were targeted in the rogue ad scam, according to a New York Times statement.

"The problem really is with Web sites handing over control of some of their content to third parties."

--Graham Cluley, security researcher, Sophos

One of them was SFGate.com, the site for the San Francisco Chronicle, a Chronicle spokeswoman told The New York Times. (Calls from CNET News were not returned on Monday and Tuesday.) "We did get hit with something over the weekend," Kelly Harville, a vice president of marketing at the newspaper, is quoted as saying.

"This isn't uncommon," said Michael Caruso, founder and chief executive of Clickfacts. Scammers "come in looking like one thing. They spoof the email addresses, even get good references for their credit and run a car ad. It happened with a Lexus ad a couple of weeks ago...They change the content out at the content delivery network."

ClickFacts, which started out helping advertisers defend against click fraud, also offers an ad scanning service for Web sites and ad networks that audits ad content for things like malware. For instance, ClickFacts is monitoring the ads that appear on News Corp.'s Fox site, which previously was hit by rogue scareware, Caruso said.

"We proactively scan the ads before they are delivered and then continuously scan them from many IP ranges around the world to make sure they're not launching adware," he said.

Many ad networks are scanning ads manually, but ad content can easily be changed after a manual scan is done, Caruso said. In addition, he said, a malicious ad "could be placed in anywhere" because sites often have other companies sell their ad inventory.

For example, two years ago Trojan horse software was discovered in banner ads that an ad network was serving up via Yahoo's Right Media Exchange to MySpace, Photobucket, Bebo, and other high-traffic sites.

The rogue ads pose a number of problems. First, they can download malware to a computer once the ad is clicked on. The malware can include Trojans, back doors, and keystroke loggers and can be used by the scammers to commandeer the computer to send spam or launch attacks on other computers, according to Cluley.

Then, if someone falls for the ruse and provides credit card and other billing information, the scammers have sensitive financial data that can be used for identity fraud.

"Identity theft is the purpose behind the ads," said Caruso.

[qpzmal1029]

I was hit with one of these the other day. The funny thing was that it was on my Palm Pre - the alert comes up telling me I need to run a virus scan, I hit cancel, and a card comes up that looks like "My Computer" on a Windows pc, and a status bar and "filenames" start flying as though it's running a scan. I just laughed and closed the card.

[skatemusiclife64]

It's even funnier when you're on a Mac (like me) and a Windows XP themed ad comes up telling you that you "may have a virus"

[karpenterskids]

haha...that's happened to me too.


I use a Mac.

[franko1983]

hahaha i know, i was on my iMac the other day, and a file called AntiVir2009.exe downloaded itself on Safari :P and then it just stood there on the downloads folder hehehe just dragged that ***** to the trash and laughed...

[blondepianist]

Speaking of malware, who wants to click on IQ-Test's link? It couldn't possibly be a scam..

[Random_Walk]

You;re exactly one letter off from it's true intent :)

(and yep it's gone now, but I saw a similar posting for the same thing on another article here).

[inachu1]

Later tonight I will disable the usage/rendering of anything that uses the iframe tag.

Why can't we find these people via IP address and arrest them within 8 hours of doing a ping,whois???

The lack of willpower and host providers need to be at fault for not securing the sites.
Name the names and their home address VIA GOOGLE MAPS with a sign that says these are the people infecting your PC.......... WHY WHY WHY?!?!!?

I feel I might do just that pretty soon.

[tacit]

In most cases, security researchers know exactly who's responsible for this malware. Problem is, the miscreants are most often in Russia or Eastern Europe, where law enforcement is lax and no extradition treaties exist. Hell, I tracked down one group of people pushing this phony antivirus malware and found Flikr pictures of them, and Web pages where they bragged openly about the number of computers they infected! Living in Russia has its advantages.

The malware is hosted on ISPs who often turn a blind eye to it. For example, one of these phony antivirus sites continued to be hosted on American ISP The Planet for months even after they were notified multiple times that they were hosting malware. Malware authors may host the phony antivirus malware on thousands of Web sites; that's a lot of money for an ISP to turn down, especially in a recession.

[BigGuns149]

Even if extradition treaties exist, law enforcement in central Asian and Eastern Europe tends to have bigger issues to deal with than that.

[brad_g11]

The Eagle online newspaper in Bryan, TX got hit with this about 2 weeks ago. But they still deny ever having a virus on their website even after a couple thousand complaints. Their are 2 answers to this 1. don't have ads anymore. Yeah right like that will happen. And 2. use a program like HostMan to block ads.

[shootfirst]

Here is how you fix this crap once and for all. Have ad creators hand over full source to companies web developers and they post it once they have determined it is safe. I'm sorry but openly letting others post code for your site is just stupid. However companies think the web is a cheap portal for marketing which it is not. Having a good webmaster is a must on sites and a good webmaster should know ads are a big vulnerability.
I hit at CNET pretty hard because they were allowing ads for trojans and cialis on their site. No offense that is the last thing I want to see when I come to this site. However the marketing department don't really care as long as they have revenue streaming in.

[irondog1970]

So when should a company screen everything that goes their servers and when shouldn't they? I personally like the idea (just how I like the fact that Apple screens apps before they get posted on iTunes). No system will be 100% perfect, but it beats nothing at all.

I was at the NYTimes site on Sunday, but I definitely knew something was up when it showed a scan of a Windows system and I'm running Ubuntu.

[WinNoMo]

I would click on it and laugh while my Windows free world remains intact.

[lazycat202]

nothing new!!

[mgheff]

that happened to me on my PC. I was getting quite sick of viruses. I switched to Mac shortly after.

[WinNoMo]

Ditto

[DMBoricua]

This is why I use AdBlock Plus, an add-on for Firefox that works very VERY well :)

[DarkHawke]

Preach on, brother! Ads have been a malware vector since those rogue banners hit MySpace a couple years back. I run both Adblock Plus and NoScript on Firefox. No ads, no unapproved scripts, no infections. Mah stuff is tiiiight!!! ;)

[Krevco]

First, I agree, this add-on is fantastic. Just for a kick, browse around on IE for a little while and then you will enjoy the add-on even more. I was using IE on a friend's computer and when I went to some of my favorite websites I was shocked to see how ad laden they were. That add-on was blocking the ads and I hadn't even noticed.

The reason for my comment is just to get a quick thing off my chest.

"Ads--the new <a href="http://www.sophos.com/products/malware-protection/">malware</a>
delivery format"


Are you serious with that title? How about: Ads, the oldest malware delivery format we have..

Delivering malware through ads is one of the most tried and true methods of infecting a system. I just cannot understand how the author is serious with this title..

[winstein]

The scary part is not whether the malware looks like windows, but a malware that is tricking the user with "social engineering". We can never be sure if that notification is real or not. It could someday mimic any OS or any application.

[sssprinkle]

For all the geeks there are lots of easy answers, but I spent 4 hours removing Windows Police Pro from my 89 year old mom's computer because a Windows looking ad on some site popped up and told her she had a virus...I hope somebody prosecutes these jackasses...

[mgheff]

I completely agree think of all the people out there and see this pop up and not realize that it is a virus that will destroy their computer. I know Macs can get viruses, but I switched and so far have not had any problems- it is just a safer system, and I would switch to that if I were you.

[wiredchicken]

Bottom line, never click on any advertisements (period), they are only there for display purposes only (like billboards)!!

[grabacontroller]

This is nothing new. You don't have to click a ad for this to happen. It happens on Firefox too.

[pentest]

If the retarded users would stop clicking on the ads they would go away.

Just like the spam problem, jerks spam because enough people idiotically click that link, and place an "order" or update their supposed account, or help that nice eastern European lady hide her assets from her mean brothers.

[pentest]

Before someone says it will hurt online content I say good!

Actually it won't if web sites properly adapt. A simple change would be to make all adds not clickable. Revenue would be based on traffic, just like TV and lots of other places. The ad could post the website address, but no large urls, nothing more complex that subdomain.domain.com/product_name.

Maybe I am just an oddball, outside of the occasional movie trailer or event ad, I don't buy things because of ads. I do however, purposely not buy things because an ad annoyed me(ie obnoxious cereal commercials with loud crunching the whole time). I never really bought the corporate line unlike most people apparently.

[BigGuns149]

Just provided that one is willing to pay for content, then I have no issue with those that say they hate ads. Voluntary donations to support a site generally doesn't work as a sustainable model because there are often far too many freeriders relative to people who donate. Generally speaking with content you either pay with the annoyance of ads or with your own money or as in traditional print periodicals a combination of the two.

Actually you aren't that much of an oddball. Advertisers generally have high cost per acquisition because most people ignore advertising messages. Only a relatively successful ad will get more than a few percentage of its' viewers to convert into customers.

[karpenterskids]

One more reason to use AdBlock Plus.


Seriously...why doesn't everyone? All the time? Everywhere?

[play7]

mac windows doesnt matter any more..........

[DaveOCP]

I use Adblock Plus, and still got the Personal Antivirus crap when I tried to read Maureen Dowd's column. Adblock has no effect on these. I closed it, scanned with Malware-bytes just to be sure, but as usual nothing actually got through. Vista is actually pretty secure, despite what the Mac ads would have you believe.

[DarkHawke]

Well, your first mistake was trying to read MoDo's column! :) Seriously, though, get NoScript as well. Then you can selectively allow only what scripting a site really needs and broom the rest. A bit of a learning curve, but you always sacrifice convenience for security.

[redmarine]

Hurray for AdBlock Plus!

[Qtechbg]

You call this NEW(S)? I've seen such pages for several years now...

[Pride73170]

I had almost completely made the switch to Google Chrome when one of these sites bit my laptop. I didn't click on any ads on the page. When I tried to close the pop-up window, it started a fake scan in the window. I had to force Chrome to close and then ran a McAfee scan and it quarantined a nice trojan for me. It's the first one I've seen in years. One of the reasons I'd switched to Chrome was that it had been doing a better job of blocking pop-ups (versus Firefox) reputable sites that I frequently visit. We need to decriminalize marijuana and use those funds for prosecution of malware creators. Then we can all smoke up and surf, worry free. Just kidding...I have kids...I would never smoke that stuff!