Original URL: https://www.theregister.com/2008/08/18/malvertizing_epidemic/

'Malvertizement' epidemic visits house of Newsweek.com

Symptoms felt 'all over the net'

By Dan Goodin

Posted in Security, 18th August 2008 19:48 GMT

Newsweek.com is one of several high-profile websites suspected of running rogue banner advertisements that try to trick visitors into installing fraudulent anti-malware programs, security researchers warn.

The malicious ads have been appearing on Newsweek's website via feeds that carry the Washingtonpost.com address, according to this post on the Bluetack Internet Security Solutions site. The ads redirect users to a site that falsely claims users' PCs are infected with malware and urges them to buy and install software that will remedy the problem. The banner graphic posed as an ad for www.easy-forex.com, which bills itself as an online foreign currency exchange.

A spokeswoman for the Washington Post referred calls to a Newsweek representative. The representative had not returned a phone call by time of writing.

Newsweek joins a growing list of name-brand websites accused of exposing its readers to dangerous ads. Last week, we reported on a new breed of ad that used malicious Adobe Flash code to hijack the clipboard of users' PCs. MSNBC.com, Digg.com and other websites were said to be running the abusive ads.

"It worries me that I am seeing complaints about malvertizing-like symptoms all over the net implicating - not only Newsweek, but at other big name sites like MSNBC, Facebook, lime.com, Hotmail, MySpace and Yahoo," Sandi Hardmeier, of the Spyware Sucks blog wrote here. Hardmeier said the ads are extremely hard to spot because they can sit dormant for days before the attacks begin. The use of multiple affiliates to buy and sell online ads also makes it hard for sales staff at established websites to separate legitimate ads from those that are designed to defraud or attack.

If you've witnessed such ads, please leave a comment below, and be sure to provide as much detail as possible about the offending banner.

In many of the recent cases, the malvertizements were created using a popular ad package known as Fuse Kit. Hardmeier recommends in-house ad personnel apply extra scrutiny to graphics that were created using the program. Hardmeier also recommends checking out the credentials of anyone looking to run advertising banners, including their phone number, physical address and credit.

"Take a close look at their websites - who hosts them, who shares their IP address, who shares their mail server and their name server," she adds. "Write to people such as myself and ask for advice and guidance."

There are other tell-tale signs to look for. For example, in the case of Newsweek, the offending ads included the address adoptserver.info, which Hardmeier claims is a "known bad actor." Any graphic that points to the domain name should immediately be suspended. ®