As advertising reaches ever more Web sites, cyber-criminals have begun using affiliate ad networks to infect computers with keystroke loggers, bot net (define) software, and other malicious code. The tactics of these bad actors are outlined in a report published by the Finjan Malicious Code Research Center.
Cyber-criminals use two main strategies to run ads serving malicious code to unsuspecting users. Some hack pages on a publisher's site and insert code behind a content page or ad, as happened in the case of an infected ad served on MySpace.com. A second strategy involves the formation of affiliate ad networks where site operators are paid based on the number of infections, rather than impressions, they manage to deliver.
The cost of entry for the cyber-criminals running the networks is low. "Criminals today can buy a software package online... and start to infect users with Trojans," said Finjan CTO Yuval Ben-Itzhak. "Criminals don't need to know anything about security. It makes it possible for almost anyone to do this crime."
Ad networks set up under false pretenses attract second- and third-tier site owners by paying out higher rates. The cost-per-infection rate paid to publishers varies based on the country of the hacked computer. Finjan uncovered a rate page for one network in which CPMs were highest in Australia ($500), the U.K. ($400), and Denmark ($200). Infections of computers in the U.S., the Netherlands, France, Spain, and Germany each paid $120 per thousand infected computers.
The rate card is consistent with the operations of crimeware rings, according to Ben Edelman, independent spyware researcher and assistant professor at Harvard Business School, "The folks making the software do generally pay for installation," he said.
The software used by cyber-criminals operating ad networks and those who hack directly into Web sites is often called inline frame or IFrame (define). It works by embedding HTML code within another Web page to transmit the malicious code. Finjan observed cases where the code is able to obfuscate itself on a user's computer to avoid detection.
The extent of the problem is not easy to quantify. Trojan-serving networks conceal their activities by storing user IP addresses and, when individuals return to a site, reverting to clean content and ads. In many instances observed by Finjan, the infected ad delivered three different attacks on the user to insure an install and to gain access to the PC. Some computers were infected with keystroke loggers in order to capture passwords, bank account information and other personal details. Other machines were converted to a zombie spam server.
While evidence of rogue networks exists, isolated occurrences of malicious ads are more common in Edelman's experience. In early June, he identified an ad for a product called DriveCleaner that ran on Friendster.com and was served through DoubleClick's DART servers. The ad attempted to take over Friendster and replace the URL in the address bar with another, according to Edelman.
Symantec's security response database describes DriveCleaner as "a misleading application, which gives exaggerated reports of security and privacy risks on a computer. The program then prompts the user to purchase a registered version of the software in order to remove reported risks."
DoubleClick declined to comment specifically on the Friendster.com example. The DART system does have procedures in place for situations where an unsuitable ad is served.
"We very rarely come across cases like this," said Sean Harvey, senior product manager of the DART platform at DoubleClick. "As a technology provider, we have a strong support team. They contact us and we can put a SWAT team on it and shut it down in real time."
The publisher sites Finjan questioned for the report said they were unaware of the attacks perpetrated through their ad inventory. Most contracts today stipulate an ad network will not serve ads with adult content, porn or gambling messages, but mention nothing about hacking or malicious code.
"There is no contract or liability between two parties that relates to malicious content," said Ben-Itzhak.
May 22, 2013
1:00pm ET / 10:00am PT
June 5, 2013
1:00pm ET / 10:00am PT