Hackers Use Banner Ads on Major Sites to Hijack Your PC


Fully vaccinated are you?
Of course, it can't install anything on Macs, but I've seen this on several large sites I visit. Even on a Mac I had to quit Firefox to 'get out' of it.

Here's a video demonstration of the rogue ads:

From Wired News:
Wired News said:
The worst-case scenario used to be that online ads are pesky, memory-draining distractions. But a new batch of banner ads is much more sinister: They hijack personal computers and bully users until they agree to buy antivirus software.

And the ads do their dirty work even if you don't click on them.

The malware-spiked ads have been spotted on various legitimate websites, ranging from the British magazine The Economist to baseball's MLB.com to the Canada.com news portal. Hackers are using deceptive practices and tricky Flash programming to get their ads onto legitimate sites by way of DoubleClick's DART program. Web publishers use the DoubleClick-hosted platform to manage advertising inventory.

If you've seen any of the ads, you may have experienced something like this: You're on a legitimate site. Your browser window closes down. A new browser window comes up, redirecting you to an antivirus site, while a dialog box comes up telling you that your computer is infected and that your hard drive is being scanned. The malware tries to download software to your computer and scans your hard drive again.

The malware looks like a ordinary Flash file, with its redirect function encrypted, so that when publishers upload it, the malware is not detectable. Once deployed on a site, the Flash file launches the malicious redirects, which appear to be triggered at preset times or at selected Web domains.

John Mark Schofield, a Los Angeles IT director, encountered the ads on Canada.com. He thinks that because he was on a Mac OS computer, the damage wasn't so severe. "My feeling is that it would have caused me a lot more grief if I had been on a Windows computer: It may have installed the malware. Instead, it took over my browser, which I just fixed by exiting Firefox," Schofield says.

DoubleClick acknowledges the malware is out there, and says it has implemented a new security-monitoring system that has thus far captured and disabled a hundred ads.

"This is an industry-wide challenge. Unfortunately, there are bad actors who misrepresent themselves and purchase advertising as an avenue to distribute malware. This has the potential to affect all businesses and consumers in the online environment," says Sean Harvey, senior product manager at DoubleClick DART.

Publishers may be somewhat culpable, too. The distributor of the malware-infected ads is believed to be AdTraff, an online-marketing company with reported ties to the Russian Business Network, a secretive internet service provider that, security firms say, hosts some of the internet's most egregious scams. AdTraff is believed to have posed as a legitimate advertiser, using its partners as references. The ads were almost always paid for with credit cards or wire transfers, according to Alex Eckelberry, CEO of Sunbelt Software, a provider of security software.

"The AdTraff guys probably register at a bunch of sites -- maybe more than 300. They say they're advertisers. They get the sales guys at the end of the quarter when they're anxious to take the deal. (AdTraff) wires the cash, and they buy the inventory on the site," Eckelberry says.

AdTraff could not be reached for comment. The company lists a phone number in Germany which leads to a generic voicemail box.

Wes Bucey

Prophet of Profit
My spyware scan today showed I had picked up three "Rogue" [the spyware scanner's term] spies which from the description presented by the spyware scanner are the kind which offer bogus checking of your computer and then proceed to plant their own little time bombs.

I don't bother to investigate further, I just click the "destroy" button and go blithely on my way.
I don't bother to investigate further, I just click the "destroy" button and go blithely on my way.
I usually don't get them at all... As soon as I notice that my popup-blocker starts kicking in more often, I update my hosts file: Assigning the culprit to IP (which just happens to be the local machine) will make the machine search for the offending page internally instead of on the open web. Of course it will not find it there, and nothing bad happens.:D


Jim Wynne

On a peripherally related note, I just discovered yet another type of phishing scam in my Gmail spam bucket. It's a notice alleging to be from the IRS, telling me that I have a $99.00 refund coming, and giving me a link to go and get it. I have a feeling it's yet another implementation of the so-called Storm worm, which was also discussed on the Cove here.
Top Bottom