Feeds

Rogue ads infiltrate Expedia and Rhapsody

When legit sites attack

Remote control for virtualized desktops

This story was corrected throughout to name Expedia.com as one of two sites found by Trend Micro and Sandi Hardmeier to be serving malicious banner ads. While Excite.com has been found in the past to also host attack ads, there are no recent reports it has done so recently.

Expedia.com and Rhapsody.com are the latest name-brand websites to be found serving advertisements that try to install malware onto users' machines, security researchers said. The sites join a Rogue's Gallery of mainstream destinations that include MySpace, Excite, Blick, and CNN.com, which all have been caught carrying tainted ads over the past few months.

Both Expedia and Rhapsody hosted banner ads that produce messages falsely claiming end users should install software that will fix malware infections or other problems that plague their machines, according to a research note from Trend Micro. The messages are produced using malicious links injected into the ad graphics, which use Adobe Shockwave. Frequently, such ads are tailored to look strikingly similar to official Windows dialog pop-ups, in an attempt to trick the users.

The rogue ads on Expedia were reported earlier this week by Microsoft MVP Sandi Hardmeier's "Spyware Sucks" blog. An update Wednesday produced additional banners she said were malicious.

Officials from Real Networks, the parent company of Rhapsody, removed the rogue ads last Thursday, according to spokeswoman Ronda Scott. Investigators believe the attacks began six days earlier, but have not yet determined how they made their way onto the site, she said. There is no estimate of how many people were subjected to the ads.

"It was the type of malware that displays a message to the user that says: 'You've been infected. Click here to purchase software to fix,'" she said.

A spokeswoman for Expedia said an "imposter advertiser" managed to circumvent the company's advertising policy before eventually being discovered. The company doesn't yet know how long the ad was carried on how many users were exposed to it.

"We're constantly evaluating our security practices and procedures to address the newest threats," she said.

Over the past year, we've written a fair number of stories reporting various vulnerabilities and exploits that require a user to visit a booby-trapped website before getting compromised. Some Reg readers have sneered at such requirements, suggesting that only the foolhardy would fall for such a ruse. While the ads on Expedia and Rhapsody don't appear to have exploited vulnerabilities, they serve as reminders that rigged websites come in many varieties, and getting people to visit them is relatively trivial.

What's more, banner ads are only one way to poison a once-trustworthy website. Plenty of others fall victim to SQL injections or other compromises that turn them into attack platforms that try to install malware cocktails that target vulnerabilities in Windows, QuickTime and other popular programs. According to Websense, 51 percent of sites that engaged in drive-by downloads over the past six months were legitimate destinations that had been hijacked.

While Trend's research report didn't say how the rogue banners made their way onto the sites, the most likely means was through ad networks. Companies such as DoubleClick and Real Media (the latter has no affiliation with Real Networks, by the way) typically do automated scans of the graphics carried on their systems, but the checks are notoriously simple for purveyors of malware to get around. Often, the bad guys avoid detection by swapping out benign ads with the malicious ones several hours or days after the campaign begins, or by serving rogue banners only in select geographical regions.

As always, Firefox users can insulate themselves from many of these threats by using the NoScript extension. If you've got a good suggestion for ways users of other browsers can protect themselves, please leave a comment. ®

Remote control for virtualized desktops

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.