Ads--the new malware delivery format

Instead of hacking into major online sites to embed malware, malicious hackers are going in through the front door by exploiting security holes in systems for delivering ads.

It happened just days ago, for instance, to the Web site of The New York Times. The newspaper company informed readers on Sunday about a rogue ad that was popping up on its site. The ad warned visitors to NYTimes.com that their computer may be infected with a virus and redirected them to a site that purports to scan the computer and offers to sell antivirus software.

This is common behavior for what is known as fake security alerts, or "scareware," designed to trick people into paying for something they don't need. Use of this type of scam is on the rise.

Typically, the site hosting the rogue alerts has been compromised, or a worm, like Conficker, distributes the alerts directly to computers.

"I think there is a problem with ad networks, in general," said Graham Cluley, a Sophos security researcher. "The problem really is with Web sites handing over control of some of their content to third parties."

The rogue ad on NYTimes.com was delivered by an unknown ad delivery firm after the newspaper agreed to run an ad for a week from a company posing as Internet telephony provider Vonage, according to New York Times spokeswoman Diane McNulty. Initially, a legitimate-looking ad was running, but that was switched with the fake antivirus alerts, possibly on Friday, she said.

"In the future, we will not allow any advertiser to use unfamiliar third-party vendors," McNulty is quoted as saying. (McNulty did not respond to e-mail questions posed by CNET News on Monday and Tuesday.)

Several news organizations were targeted in the rogue ad scam, according to a New York Times statement.

One of them was SFGate.com, the site for the San Francisco Chronicle, a Chronicle spokeswoman told The New York Times. (Calls from CNET News were not returned on Monday and Tuesday.) "We did get hit with something over the weekend," Kelly Harville, a vice president of marketing at the newspaper, is quoted as saying.

"This isn't uncommon," said Michael Caruso, founder and chief executive of Clickfacts. Scammers "come in looking like one thing. They spoof the email addresses, even get good references for their credit and run a car ad. It happened with a Lexus ad a couple of weeks ago...They change the content out at the content delivery network."

ClickFacts, which started out helping advertisers defend against click fraud, also offers an ad scanning service for Web sites and ad networks that audits ad content for things like malware. For instance, ClickFacts is monitoring the ads that appear on News Corp.'s Fox site, which previously was hit by rogue scareware, Caruso said.

"We proactively scan the ads before they are delivered and then continuously scan them from many IP ranges around the world to make sure they're not launching adware," he said.

Many ad networks are scanning ads manually, but ad content can easily be changed after a manual scan is done, Caruso said. In addition, he said, a malicious ad "could be placed in anywhere" because sites often have other companies sell their ad inventory.

For example, two years ago Trojan horse software was discovered in banner ads that an ad network was serving up via Yahoo's Right Media Exchange to MySpace, Photobucket, Bebo, and other high-traffic sites.

The rogue ads pose a number of problems. First, they can download malware to a computer once the ad is clicked on. The malware can include Trojans, back doors, and keystroke loggers and can be used by the scammers to commandeer the computer to send spam or launch attacks on other computers, according to Cluley.

Then, if someone falls for the ruse and provides credit card and other billing information, the scammers have sensitive financial data that can be used for identity fraud.

"Identity theft is the purpose behind the ads," said Caruso.