Rogue ads infiltrate Expedia and Rhapsody
When legit sites attack
This story was corrected throughout to name Expedia.com as one of two sites found by Trend Micro and Sandi Hardmeier to be serving malicious banner ads. While Excite.com has been found in the past to also host attack ads, there are no recent reports it has done so recently.
Expedia.com and Rhapsody.com are the latest name-brand websites to be found serving advertisements that try to install malware onto users' machines, security researchers said. The sites join a Rogue's Gallery of mainstream destinations that include MySpace, Excite, Blick, and CNN.com, which all have been caught carrying tainted ads over the past few months.
Both Expedia and Rhapsody hosted banner ads that produce messages falsely claiming end users should install software that will fix malware infections or other problems that plague their machines, according to a research note from Trend Micro. The messages are produced using malicious links injected into the ad graphics, which use Adobe Shockwave. Frequently, such ads are tailored to look strikingly similar to official Windows dialog pop-ups, in an attempt to trick the users.
Officials from Real Networks, the parent company of Rhapsody, removed the rogue ads last Thursday, according to spokeswoman Ronda Scott. Investigators believe the attacks began six days earlier, but have not yet determined how they made their way onto the site, she said. There is no estimate of how many people were subjected to the ads.
"It was the type of malware that displays a message to the user that says: 'You've been infected. Click here to purchase software to fix,'" she said.
A spokeswoman for Expedia said an "imposter advertiser" managed to circumvent the company's advertising policy before eventually being discovered. The company doesn't yet know how long the ad was carried on how many users were exposed to it.
"We're constantly evaluating our security practices and procedures to address the newest threats," she said.
Over the past year, we've written a fair number of stories reporting various vulnerabilities and exploits that require a user to visit a booby-trapped website before getting compromised. Some Reg readers have sneered at such requirements, suggesting that only the foolhardy would fall for such a ruse. While the ads on Expedia and Rhapsody don't appear to have exploited vulnerabilities, they serve as reminders that rigged websites come in many varieties, and getting people to visit them is relatively trivial.
What's more, banner ads are only one way to poison a once-trustworthy website. Plenty of others fall victim to SQL injections or other compromises that turn them into attack platforms that try to install malware cocktails that target vulnerabilities in Windows, QuickTime and other popular programs. According to Websense, 51 percent of sites that engaged in drive-by downloads over the past six months were legitimate destinations that had been hijacked.
While Trend's research report didn't say how the rogue banners made their way onto the sites, the most likely means was through ad networks. Companies such as DoubleClick and Real Media (the latter has no affiliation with Real Networks, by the way) typically do automated scans of the graphics carried on their systems, but the checks are notoriously simple for purveyors of malware to get around. Often, the bad guys avoid detection by swapping out benign ads with the malicious ones several hours or days after the campaign begins, or by serving rogue banners only in select geographical regions.
As always, Firefox users can insulate themselves from many of these threats by using the NoScript extension. If you've got a good suggestion for ways users of other browsers can protect themselves, please leave a comment. ®