Hackers Use Banner Ads on Major Sites to Hijack Your PC
Spiked ads have been spotted on MLB.com, NHL.com and The Economist.
Nov. 16, 2007 — -- The worst-case scenario used to be that online ads are pesky, memory-draining distractions. But a new batch of banner ads is much more sinister: They hijack personal computers and bully users until they agree to buy antivirus software.
And the ads do their dirty work even if you don't click on them.
The malware-spiked ads have been spotted on various legitimate websites, ranging from the British magazine The Economist to baseball's MLB.com to the Canada.com news portal. Hackers are using deceptive practices and tricky Flash programming to get their ads onto legitimate sites by way of DoubleClick's DART program. Web publishers use the DoubleClick-hosted platform to manage advertising inventory.
If you've seen any of the ads, you may have experienced something like this: You're on a legitimate site. Your browser window closes down. A new browser window comes up, redirecting you to an antivirus site, while a dialog box comes up telling you that your computer is infected and that your hard drive is being scanned. The malware tries to download software to your computer and scans your hard drive again. (Here's a video demonstration of the rogue ads.)
The malware looks like a ordinary Flash file, with its redirect function encrypted, so that when publishers upload it, the malware is not detectable. Once deployed on a site, the Flash file launches the malicious redirects, which appear to be triggered at preset times or at selected Web domains.
John Mark Schofield, a Los Angeles IT director, encountered the ads on Canada.com. He thinks that because he was on a Mac OS computer, the damage wasn't so severe. "My feeling is that it would have caused me a lot more grief if I had been on a Windows computer: It may have installed the malware. Instead, it took over my browser, which I just fixed by exiting Firefox," Schofield says.
DoubleClick acknowledges the malware is out there, and says it has implemented a new security-monitoring system that has thus far captured and disabled a hundred ads.
