Sponsored search results lead to malware

>From "Window Secrets"

Sponsored search results lead to malware

Susan Bradley By Susan Bradley

The ads served by Bing and Google along with your search
results are linking more and more often to sites trying to
infect your machine.

Neither Bing nor Google effectively prescreens these bogus
advertisers, so it's up to us to detect and avoid them.

You may recently have used either Google or Microsoft's new
Bing search engine to find the popular Malwarebytes
Anti-Malware utility. If so, chances are good that the
sponsored ads alongside your search results contained links
to the very malware that the security tool is designed to
remove.

The three largest search sites — Google, Yahoo, and Bing —
regularly sell security-related keywords to criminals
looking to trick you into downloading and installing fake
anti-malware products. The crooks then steal your personal
information or hold your system for ransom before letting
you remove their malware from your machine.

The search providers have been aware of this for years. To
their discredit, they've done little to end the practice,
even though it's in their power to do so. The reason?
They're making money hand over fist from those sponsored
text ads and don't want to kill the goose that lays the
golden eggs.

Case in point: A Windows Secrets reader searched Bing for
Malwarebytes Anti-Malware. He clicked the first link
displayed and ended up on a site that installed a rogue
antivirus program on his PC. (See Figure 1.)

Bogus Malwarebytes links in Bing Figure 1. Malicious
sponsored ads are interspersed with links to legitimate
companies when you query search engines for the
Malwarebytes security program.

Rather than getting a tool to clean up a friend's infected
computer, this Web surfer ended up having to disinfect his
own. He and several other people I've heard from recently
were hit with the result of search services' selling
sponsored links without validating those links' legitimacy.

As search terms become popular, scammers jump at the chance
to have their bogus ads appear among the results. To get
their deceptive ads into these highly visible search
results, these criminals simply buy these high-traffic
terms from the search engines.

Big-name sites still serving up malicious ads

Another form of dangerous Web ads appears on otherwise
legitimate sites.

WS contributing editor Scott Dunn described a year and a
half ago in an April 17, 2008, Top Story infectious Flash
ads that achieved space on well-known sites. I also
reported on drive-by malware downloads in the June 11,
2009, Top Story. In the most-recent case, NYTimes.com and
other established sites hosted malware-infested ads. The
New York Times described the attack in a Sept. 14 article.

When malicious ads — or "malvertisements" — enter the
rotation on these sites, your system may become infected if
you merely view the page. This is especially true if your
versions of media players based on Java, Flash, or
QuickTime are out-of-date.

It's getting so bad that even top officials at Google
acknowledge the problem, though they haven't yet taken
steps to halt it. Eric Davis, head of anti-malvertising at
Google, stated at the 2009 Virus Bulletin Conference that
the industry needs to work together to combat this problem.

As reported by Dennis Fisher on Kaspersky Lab's Threat Post
site, Davis called for the creation of an industry
clearinghouse that would certify ad servers. Such an
organization would allow all search vendors and other sites
to use online-ad agencies without fear that a malicious ad
would insert itself into rotation.

Microsoft has decided to use the courts as a weapon against
malicious advertisers. A Sept. 18 Associated Press article
posted on the MSNBC site states that the company is
attempting to go after several suspicious ad vendors.

Even using Yahoo or a smaller search index won't prevent
such attacks, because second-tier engines have been hit
with malicious ads, too, as a Sept. 25 story by Deborah
Hale on Incidents.org reported.

Ways to fight back against online attack ads

Following my investigation of the malicious ads on Bing, I
contacted the Microsoft Security Response Center, which can
be reached via secure at microsoft.com. Within a few days,
the offensive ads were removed.

However, searching on the term malwarebytes combined with
such words as virus and antivirus continued to return
dubious destinations in Bing's sponsored-links section.

The same type of ads appears among Google results when you
search on similar terms. Depending on the location you
search from, you may see a link to Cyberdefender.com among
the results. This company is listed on the hpHosts site as
selling fraudulent software.

I reported this site to Google via a Web form on the Google
site. But to date, no action has been taken to remove this
and related malicious links.

Unfortunately, balancing the scales of justice takes time.
What can you do in the meantime to help protect yourself
from these malicious ads?

* Don't expect flawless protection from your Web browser of
choice. Internet Explorer, Firefox, and other browsers now
support bad-sites lists, but every malicious ad server may
not be known. Nor are browser security add-ons perfect.
McAfee SiteAdvisor, for instance, may include results that
are up to one year old, as WS contributing editor Mark
Edwards reported on Feb. 12, 2009.

* If you're not sure, verify the URL. Microsoft and Google
have large payrolls, but the search giants don't employ
literal armies to review ad submissions. If you're at all
suspicious of an ad's legitimacy, check the URL via a
service such as hpHosts, which tracks domain names that
researchers have reported as malicious.

* Help vendors by reporting malicious advertisers. To
report bogus ads on Google, e-mail security at google.com.
This is likely to be more effective than reporting the site
via the search giant's online form. If you discover malware
purveyors advertising in Bing's results, e-mail secure at
microsoft.com. Yahoo, however, offers only a Security
Phishing Report Form.

I do hope that Google, Microsoft, and Yahoo can put their
differences aside and correct this situation. In the
meantime, be careful when you search and be suspicious of
sponsored links. Too many of them are fictitious these days
— and dangerous.

Anonymous Remailer

Anonymous Remailer wrote:

>your system may become infected if
>you merely view the page.

Wow!
That's almost enough to scare me into spending money on someone's
product, that is if I could muster up any faith in anything from a
source using an 'Anonymous Remailer'.
FWIW: There isn't any place on the internet that I can't click for fear
of consequence, nope, nothing online can touch me ))
Nor can anything sent via email either ))

ASCII

"ASCII" <> wrote in message news:4ace4ec0.969281@EBCDIC...
> Anonymous Remailer wrote:
>
>>your system may become infected if
>>you merely view the page.
>
> Wow!
> That's almost enough to scare me into spending money on someone's
> product

Hello

You may be pleased to note that others (perhaps not quite a *sure* as you
seem to be ASCII) no longer have to spend any money to get *some* added
protection!

I visited a web page recently and received a Warning regarding
malware http://i35.tinypic.com/4fj7n.jpg :-

I now appreciate that I got the warning because I have set my
browser (Safari) to recognise the trigger.

Following some research, I discovered another URL which produced a similar
warning.

hxxp://thekrazykraftlady.blogspot.com/ (Obfuscated)

I've now tried this URL using Google Chrome and the
Warning 'picture' is similar, but not identical, to that which I see using
Safari. Here's a screenshot: http://i33.tinypic.com/55i1xh.jpg

I've also looked with Firefox 3.5 and I get a *different*, warning.
Here's how it looks http://i36.tinypic.com/24g9evm.jpg

Internet Explorer 8 - just reset to as new settings - shows *NO* warning
message. Is that a surprise to anyone?!!

It would be great if others would advise what, if any, warnings *they* get.

Anyone?

Btw - the original article came from Windows Secrets.
http://windowssecrets.com/2009/10/08...ead-to-malware

--
Dave (~BD~ using my wife's laptop right now!)

Beady

Beady wrote:
>
>Google Chrome http://i33.tinypic.com/55i1xh.jpg
>
>Firefox 3.5 http://i36.tinypic.com/24g9evm.jpg
>
>Internet Explorer 8 - just reset to as new settings - shows *NO* warning
>message. Is that a surprise to anyone?!!
>It would be great if others would advise what, if any, warnings *they* get.
>
>Anyone?

Using Opera v10.0 I get no warning as none is needed.

>Btw - the original article came from Windows Secrets.
>http://windowssecrets.com/2009/10/08...ead-to-malware

Someone later indicated the source of that article but my initial
response was to some nymshit giving no accreditation whatsoever and
posting it as if it came from their own creative resources.

The reason for my wry response was because there seems to be a culture
of FearUncertainty&Doubt FUD that prevails in this and other fora that
serves only to feed the starving egos of wannabe do-gooders.

BYW: The person at that site (krazylady) offers this comment:

Copied from http://thekrazykraftlady.blogspot.com/
Caution! some browsers might perform poorly with this URL

"Possible Malware Detection
I recently received 2 separate emails from readers saying that when they
try to get on this blog that they are being told by their anti-virus
program/ Google Chrome that this site 'may be' distributing malware.
One reader said that she was getting 'pop unders' when she accessed the
blog. I recalled that a few weeks back one of the craft forums that I
belong to was having a similar problem and she was advised to delete her
plug board which was the cause of her problems because someone kept
plugging a button that was redirecting to a malware site. ( I hope I got
that right). Anyway, I went into Google Webmaster Tools and submitted
this blog for verification and it does come back as saying 'this site
may be distributing malware'. This is very upsetting to me and I do
apologize to readers who have been having a problem.
I've gone into my HTML layout and have not been able to detect anything
that does not belong. I've run SuperAntiSpyware on my computer and no
harmful spyware was detected. I also removed the plug board 'just in
case' and resubmitted this blog for reconsideration ( meaning Google
will review the site again to make sure it's not in violation. If it
passes, then it will once again show up in Google searches and be
considered 'safe'.
I'm truly hoping that the problem lay in the plugboard and now that it's
gone that there will be no more problems. Unfortunately, it could take
up to several weeks for the reconsideration request.
I just wanted to let you know I am not taking this lightly."

ASCII