Feeds

Rogue ads infiltrate Expedia and Rhapsody

When legit sites attack

Internet Security Threat Report 2014

This story was corrected throughout to name Expedia.com as one of two sites found by Trend Micro and Sandi Hardmeier to be serving malicious banner ads. While Excite.com has been found in the past to also host attack ads, there are no recent reports it has done so recently.

Expedia.com and Rhapsody.com are the latest name-brand websites to be found serving advertisements that try to install malware onto users' machines, security researchers said. The sites join a Rogue's Gallery of mainstream destinations that include MySpace, Excite, Blick, and CNN.com, which all have been caught carrying tainted ads over the past few months.

Both Expedia and Rhapsody hosted banner ads that produce messages falsely claiming end users should install software that will fix malware infections or other problems that plague their machines, according to a research note from Trend Micro. The messages are produced using malicious links injected into the ad graphics, which use Adobe Shockwave. Frequently, such ads are tailored to look strikingly similar to official Windows dialog pop-ups, in an attempt to trick the users.

The rogue ads on Expedia were reported earlier this week by Microsoft MVP Sandi Hardmeier's "Spyware Sucks" blog. An update Wednesday produced additional banners she said were malicious.

Officials from Real Networks, the parent company of Rhapsody, removed the rogue ads last Thursday, according to spokeswoman Ronda Scott. Investigators believe the attacks began six days earlier, but have not yet determined how they made their way onto the site, she said. There is no estimate of how many people were subjected to the ads.

"It was the type of malware that displays a message to the user that says: 'You've been infected. Click here to purchase software to fix,'" she said.

A spokeswoman for Expedia said an "imposter advertiser" managed to circumvent the company's advertising policy before eventually being discovered. The company doesn't yet know how long the ad was carried on how many users were exposed to it.

"We're constantly evaluating our security practices and procedures to address the newest threats," she said.

Over the past year, we've written a fair number of stories reporting various vulnerabilities and exploits that require a user to visit a booby-trapped website before getting compromised. Some Reg readers have sneered at such requirements, suggesting that only the foolhardy would fall for such a ruse. While the ads on Expedia and Rhapsody don't appear to have exploited vulnerabilities, they serve as reminders that rigged websites come in many varieties, and getting people to visit them is relatively trivial.

What's more, banner ads are only one way to poison a once-trustworthy website. Plenty of others fall victim to SQL injections or other compromises that turn them into attack platforms that try to install malware cocktails that target vulnerabilities in Windows, QuickTime and other popular programs. According to Websense, 51 percent of sites that engaged in drive-by downloads over the past six months were legitimate destinations that had been hijacked.

While Trend's research report didn't say how the rogue banners made their way onto the sites, the most likely means was through ad networks. Companies such as DoubleClick and Real Media (the latter has no affiliation with Real Networks, by the way) typically do automated scans of the graphics carried on their systems, but the checks are notoriously simple for purveyors of malware to get around. Often, the bad guys avoid detection by swapping out benign ads with the malicious ones several hours or days after the campaign begins, or by serving rogue banners only in select geographical regions.

As always, Firefox users can insulate themselves from many of these threats by using the NoScript extension. If you've got a good suggestion for ways users of other browsers can protect themselves, please leave a comment. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Choosing a cloud hosting partner with confidence
Download Choosing a Cloud Hosting Provider with Confidence to learn more about cloud computing - the new opportunities and new security challenges.