Hackers target fake ads to steal IDs

Instead of hacking into major online sites to embed malware, malicious hackers are going in through the front door by exploiting security holes in systems for delivering ads.

It happened just days ago to The New York Times website at the weekend. The newspaper company informed readers on Sunday about a rogue ad that was popping up on its site. The ad warned visitors to NYTimes.com that their computer may be infected with a virus and redirected them to a site that purports to scan the computer and offers to sell antivirus software.

This is common behaviour for what is known as fake security alerts, or "scareware", designed to trick people into paying for something they don't need.

Typically, the site hosting the rogue alerts has been compromised, or a worm, like Conficker, distributes the alerts directly to computers.

By sneaking fake ads onto a high-profile site, the scammers are likely to net more victims than by targeting smaller sites.

Graham Cluley, a Sophos security researcher, said: "I think there is a problem with ad networks, in general. The problem really is with websites handing over control of some of their content to third parties."

The rogue ad on NYTimes.com was delivered by an unknown ad delivery firm after the newspaper agreed to run an ad for a week from a company posing as internet telephony provider Vonage, according to a New York Times spokeswoman. Initially, a legitimate-looking ad was running but that was switched with the fake antivirus alerts, possibly on Friday, she said.

"In the future, we will not allow any advertiser to use unfamiliar third-party vendors," the spokeswoman is quoted as saying.

She did not respond to email questions posed by silicon.com sister site CNET News.

Several news organisations were targeted in the rogue ad scam, according to a New York Times statement.

Michael Caruso, founder and chief executive of Clickfacts, an ad-scanning company, said: "This isn't uncommon." Scammers "come in looking like one thing. They spoof the email addresses, even get good references for their credit and run a car ad. It happened with a Lexus ad a couple of weeks ago...They change the content out at the content delivery network".

Many ad networks are scanning ads manually, but ad content can easily be changed after a manual scan is done, Caruso said. In addition, he said, a malicious ad "could be placed in anywhere" because sites often have other companies sell their ad inventory.

The rogue ads pose a number of problems. First, they can download malware to a computer once the ad is clicked on. The malware can include Trojans, back doors, and keystroke loggers and can be used by the scammers to commandeer the computer to send spam or launch attacks on other computers, according to Sophos' Cluley.

Then, if someone falls for the ruse and provides credit card and other billing information, the scammers have sensitive financial data that can be used for identity fraud.

"Identity theft is the purpose behind the ads," said Clickfacts' Caruso.

Original article: Ads--the new malware delivery format from CNET News.com