Feeds

Rogue ads infiltrate Expedia and Rhapsody

When legit sites attack

The Essential Guide to IT Transformation

This story was corrected throughout to name Expedia.com as one of two sites found by Trend Micro and Sandi Hardmeier to be serving malicious banner ads. While Excite.com has been found in the past to also host attack ads, there are no recent reports it has done so recently.

Expedia.com and Rhapsody.com are the latest name-brand websites to be found serving advertisements that try to install malware onto users' machines, security researchers said. The sites join a Rogue's Gallery of mainstream destinations that include MySpace, Excite, Blick, and CNN.com, which all have been caught carrying tainted ads over the past few months.

Both Expedia and Rhapsody hosted banner ads that produce messages falsely claiming end users should install software that will fix malware infections or other problems that plague their machines, according to a research note from Trend Micro. The messages are produced using malicious links injected into the ad graphics, which use Adobe Shockwave. Frequently, such ads are tailored to look strikingly similar to official Windows dialog pop-ups, in an attempt to trick the users.

The rogue ads on Expedia were reported earlier this week by Microsoft MVP Sandi Hardmeier's "Spyware Sucks" blog. An update Wednesday produced additional banners she said were malicious.

Officials from Real Networks, the parent company of Rhapsody, removed the rogue ads last Thursday, according to spokeswoman Ronda Scott. Investigators believe the attacks began six days earlier, but have not yet determined how they made their way onto the site, she said. There is no estimate of how many people were subjected to the ads.

"It was the type of malware that displays a message to the user that says: 'You've been infected. Click here to purchase software to fix,'" she said.

A spokeswoman for Expedia said an "imposter advertiser" managed to circumvent the company's advertising policy before eventually being discovered. The company doesn't yet know how long the ad was carried on how many users were exposed to it.

"We're constantly evaluating our security practices and procedures to address the newest threats," she said.

Over the past year, we've written a fair number of stories reporting various vulnerabilities and exploits that require a user to visit a booby-trapped website before getting compromised. Some Reg readers have sneered at such requirements, suggesting that only the foolhardy would fall for such a ruse. While the ads on Expedia and Rhapsody don't appear to have exploited vulnerabilities, they serve as reminders that rigged websites come in many varieties, and getting people to visit them is relatively trivial.

What's more, banner ads are only one way to poison a once-trustworthy website. Plenty of others fall victim to SQL injections or other compromises that turn them into attack platforms that try to install malware cocktails that target vulnerabilities in Windows, QuickTime and other popular programs. According to Websense, 51 percent of sites that engaged in drive-by downloads over the past six months were legitimate destinations that had been hijacked.

While Trend's research report didn't say how the rogue banners made their way onto the sites, the most likely means was through ad networks. Companies such as DoubleClick and Real Media (the latter has no affiliation with Real Networks, by the way) typically do automated scans of the graphics carried on their systems, but the checks are notoriously simple for purveyors of malware to get around. Often, the bad guys avoid detection by swapping out benign ads with the malicious ones several hours or days after the campaign begins, or by serving rogue banners only in select geographical regions.

As always, Firefox users can insulate themselves from many of these threats by using the NoScript extension. If you've got a good suggestion for ways users of other browsers can protect themselves, please leave a comment. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.