Sponsored search results lead to malware

Discussion in 'Computer Security' started by Anonymous Remailer, Oct 8, 2009.

  1. Sponsored search results lead to malware

    Susan Bradley By Susan Bradley

    The ads served by Bing and Google along with your search
    results are linking more and more often to sites trying to
    infect your machine.

    Neither Bing nor Google effectively prescreens these bogus
    advertisers, so it's up to us to detect and avoid them.

    You may recently have used either Google or Microsoft's new
    Bing search engine to find the popular Malwarebytes
    Anti-Malware utility. If so, chances are good that the
    sponsored ads alongside your search results contained links
    to the very malware that the security tool is designed to

    The three largest search sites — Google, Yahoo, and Bing —
    regularly sell security-related keywords to criminals
    looking to trick you into downloading and installing fake
    anti-malware products. The crooks then steal your personal
    information or hold your system for ransom before letting
    you remove their malware from your machine.

    The search providers have been aware of this for years. To
    their discredit, they've done little to end the practice,
    even though it's in their power to do so. The reason?
    They're making money hand over fist from those sponsored
    text ads and don't want to kill the goose that lays the
    golden eggs.

    Case in point: A Windows Secrets reader searched Bing for
    Malwarebytes Anti-Malware. He clicked the first link
    displayed and ended up on a site that installed a rogue
    antivirus program on his PC. (See Figure 1.)

    Bogus Malwarebytes links in Bing Figure 1. Malicious
    sponsored ads are interspersed with links to legitimate
    companies when you query search engines for the
    Malwarebytes security program.

    Rather than getting a tool to clean up a friend's infected
    computer, this Web surfer ended up having to disinfect his
    own. He and several other people I've heard from recently
    were hit with the result of search services' selling
    sponsored links without validating those links' legitimacy.

    As search terms become popular, scammers jump at the chance
    to have their bogus ads appear among the results. To get
    their deceptive ads into these highly visible search
    results, these criminals simply buy these high-traffic
    terms from the search engines.

    Big-name sites still serving up malicious ads

    Another form of dangerous Web ads appears on otherwise
    legitimate sites.

    WS contributing editor Scott Dunn described a year and a
    half ago in an April 17, 2008, Top Story infectious Flash
    ads that achieved space on well-known sites. I also
    reported on drive-by malware downloads in the June 11,
    2009, Top Story. In the most-recent case, NYTimes.com and
    other established sites hosted malware-infested ads. The
    New York Times described the attack in a Sept. 14 article.

    When malicious ads — or "malvertisements" — enter the
    rotation on these sites, your system may become infected if
    you merely view the page. This is especially true if your
    versions of media players based on Java, Flash, or
    QuickTime are out-of-date.

    It's getting so bad that even top officials at Google
    acknowledge the problem, though they haven't yet taken
    steps to halt it. Eric Davis, head of anti-malvertising at
    Google, stated at the 2009 Virus Bulletin Conference that
    the industry needs to work together to combat this problem.

    As reported by Dennis Fisher on Kaspersky Lab's Threat Post
    site, Davis called for the creation of an industry
    clearinghouse that would certify ad servers. Such an
    organization would allow all search vendors and other sites
    to use online-ad agencies without fear that a malicious ad
    would insert itself into rotation.

    Microsoft has decided to use the courts as a weapon against
    malicious advertisers. A Sept. 18 Associated Press article
    posted on the MSNBC site states that the company is
    attempting to go after several suspicious ad vendors.

    Even using Yahoo or a smaller search index won't prevent
    such attacks, because second-tier engines have been hit
    with malicious ads, too, as a Sept. 25 story by Deborah
    Hale on Incidents.org reported.

    Ways to fight back against online attack ads

    Following my investigation of the malicious ads on Bing, I
    contacted the Microsoft Security Response Center, which can
    be reached via secure at microsoft.com. Within a few days,
    the offensive ads were removed.

    However, searching on the term malwarebytes combined with
    such words as virus and antivirus continued to return
    dubious destinations in Bing's sponsored-links section.

    The same type of ads appears among Google results when you
    search on similar terms. Depending on the location you
    search from, you may see a link to Cyberdefender.com among
    the results. This company is listed on the hpHosts site as
    selling fraudulent software.

    I reported this site to Google via a Web form on the Google
    site. But to date, no action has been taken to remove this
    and related malicious links.

    Unfortunately, balancing the scales of justice takes time.
    What can you do in the meantime to help protect yourself
    from these malicious ads?

    * Don't expect flawless protection from your Web browser of
    choice. Internet Explorer, Firefox, and other browsers now
    support bad-sites lists, but every malicious ad server may
    not be known. Nor are browser security add-ons perfect.
    McAfee SiteAdvisor, for instance, may include results that
    are up to one year old, as WS contributing editor Mark
    Edwards reported on Feb. 12, 2009.

    * If you're not sure, verify the URL. Microsoft and Google
    have large payrolls, but the search giants don't employ
    literal armies to review ad submissions. If you're at all
    suspicious of an ad's legitimacy, check the URL via a
    service such as hpHosts, which tracks domain names that
    researchers have reported as malicious.

    * Help vendors by reporting malicious advertisers. To
    report bogus ads on Google, e-mail security at google.com.
    This is likely to be more effective than reporting the site
    via the search giant's online form. If you discover malware
    purveyors advertising in Bing's results, e-mail secure at
    microsoft.com. Yahoo, however, offers only a Security
    Phishing Report Form.

    I do hope that Google, Microsoft, and Yahoo can put their
    differences aside and correct this situation. In the
    meantime, be careful when you search and be suspicious of
    sponsored links. Too many of them are fictitious these days
    — and dangerous.
    Anonymous Remailer, Oct 8, 2009
    1. Advertisements

  2. Anonymous Remailer

    ASCII Guest

    Anonymous Remailer wrote:
    That's almost enough to scare me into spending money on someone's
    product, that is if I could muster up any faith in anything from a
    source using an 'Anonymous Remailer'.
    FWIW: There isn't any place on the internet that I can't click for fear
    of consequence, nope, nothing online can touch me ;-)))
    Nor can anything sent via email either ;-)))
    ASCII, Oct 8, 2009
    1. Advertisements

  3. Anonymous Remailer

    Beady Guest

    Hello :)

    You may be pleased to note that others (perhaps not quite a *sure* as you
    seem to be ASCII) no longer have to spend any money to get *some* added

    I visited a web page recently and received a Warning regarding
    malware http://i35.tinypic.com/4fj7n.jpg :-

    I now appreciate that I got the warning because I have set my
    browser (Safari) to recognise the trigger.

    Following some research, I discovered another URL which produced a similar

    hxxp://thekrazykraftlady.blogspot.com/ (Obfuscated)

    I've now tried this URL using Google Chrome and the
    Warning 'picture' is similar, but not identical, to that which I see using
    Safari. Here's a screenshot: http://i33.tinypic.com/55i1xh.jpg

    I've also looked with Firefox 3.5 and I get a *different*, warning.
    Here's how it looks http://i36.tinypic.com/24g9evm.jpg

    Internet Explorer 8 - just reset to as new settings - shows *NO* warning
    message. Is that a surprise to anyone?!! ;)

    It would be great if others would advise what, if any, warnings *they* get.


    Btw - the original article came from Windows Secrets.
    Beady, Oct 11, 2009
  4. Anonymous Remailer

    ASCII Guest

    Using Opera v10.0 I get no warning as none is needed.
    Someone later indicated the source of that article but my initial
    response was to some nymshit giving no accreditation whatsoever and
    posting it as if it came from their own creative resources.

    The reason for my wry response was because there seems to be a culture
    of FearUncertainty&Doubt FUD that prevails in this and other fora that
    serves only to feed the starving egos of wannabe do-gooders.

    BYW: The person at that site (krazylady) offers this comment:

    Copied from http://thekrazykraftlady.blogspot.com/
    Caution! some browsers might perform poorly with this URL

    "Possible Malware Detection
    I recently received 2 separate emails from readers saying that when they
    try to get on this blog that they are being told by their anti-virus
    program/ Google Chrome that this site 'may be' distributing malware.
    One reader said that she was getting 'pop unders' when she accessed the
    blog. I recalled that a few weeks back one of the craft forums that I
    belong to was having a similar problem and she was advised to delete her
    plug board which was the cause of her problems because someone kept
    plugging a button that was redirecting to a malware site. ( I hope I got
    that right). Anyway, I went into Google Webmaster Tools and submitted
    this blog for verification and it does come back as saying 'this site
    may be distributing malware'. This is very upsetting to me and I do
    apologize to readers who have been having a problem.
    I've gone into my HTML layout and have not been able to detect anything
    that does not belong. I've run SuperAntiSpyware on my computer and no
    harmful spyware was detected. I also removed the plug board 'just in
    case' and resubmitted this blog for reconsideration ( meaning Google
    will review the site again to make sure it's not in violation. If it
    passes, then it will once again show up in Google searches and be
    considered 'safe'.
    I'm truly hoping that the problem lay in the plugboard and now that it's
    gone that there will be no more problems. Unfortunately, it could take
    up to several weeks for the reconsideration request.
    I just wanted to let you know I am not taking this lightly."
    ASCII, Oct 11, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.