Feeds

Rogue ads infiltrate Expedia and Rhapsody

When legit sites attack

Securing Web Applications Made Simple and Scalable

This story was corrected throughout to name Expedia.com as one of two sites found by Trend Micro and Sandi Hardmeier to be serving malicious banner ads. While Excite.com has been found in the past to also host attack ads, there are no recent reports it has done so recently.

Expedia.com and Rhapsody.com are the latest name-brand websites to be found serving advertisements that try to install malware onto users' machines, security researchers said. The sites join a Rogue's Gallery of mainstream destinations that include MySpace, Excite, Blick, and CNN.com, which all have been caught carrying tainted ads over the past few months.

Both Expedia and Rhapsody hosted banner ads that produce messages falsely claiming end users should install software that will fix malware infections or other problems that plague their machines, according to a research note from Trend Micro. The messages are produced using malicious links injected into the ad graphics, which use Adobe Shockwave. Frequently, such ads are tailored to look strikingly similar to official Windows dialog pop-ups, in an attempt to trick the users.

The rogue ads on Expedia were reported earlier this week by Microsoft MVP Sandi Hardmeier's "Spyware Sucks" blog. An update Wednesday produced additional banners she said were malicious.

Officials from Real Networks, the parent company of Rhapsody, removed the rogue ads last Thursday, according to spokeswoman Ronda Scott. Investigators believe the attacks began six days earlier, but have not yet determined how they made their way onto the site, she said. There is no estimate of how many people were subjected to the ads.

"It was the type of malware that displays a message to the user that says: 'You've been infected. Click here to purchase software to fix,'" she said.

A spokeswoman for Expedia said an "imposter advertiser" managed to circumvent the company's advertising policy before eventually being discovered. The company doesn't yet know how long the ad was carried on how many users were exposed to it.

"We're constantly evaluating our security practices and procedures to address the newest threats," she said.

Over the past year, we've written a fair number of stories reporting various vulnerabilities and exploits that require a user to visit a booby-trapped website before getting compromised. Some Reg readers have sneered at such requirements, suggesting that only the foolhardy would fall for such a ruse. While the ads on Expedia and Rhapsody don't appear to have exploited vulnerabilities, they serve as reminders that rigged websites come in many varieties, and getting people to visit them is relatively trivial.

What's more, banner ads are only one way to poison a once-trustworthy website. Plenty of others fall victim to SQL injections or other compromises that turn them into attack platforms that try to install malware cocktails that target vulnerabilities in Windows, QuickTime and other popular programs. According to Websense, 51 percent of sites that engaged in drive-by downloads over the past six months were legitimate destinations that had been hijacked.

While Trend's research report didn't say how the rogue banners made their way onto the sites, the most likely means was through ad networks. Companies such as DoubleClick and Real Media (the latter has no affiliation with Real Networks, by the way) typically do automated scans of the graphics carried on their systems, but the checks are notoriously simple for purveyors of malware to get around. Often, the bad guys avoid detection by swapping out benign ads with the malicious ones several hours or days after the campaign begins, or by serving rogue banners only in select geographical regions.

As always, Firefox users can insulate themselves from many of these threats by using the NoScript extension. If you've got a good suggestion for ways users of other browsers can protect themselves, please leave a comment. ®

Mobile application security vulnerability report

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you on YouPorn lately, perhaps? White House website?
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.