Over the past couple of weeks, a few YieldBuild pubs alerted us about intrusive anti-virus ads loading on their sites. The ads would prompt users to click on “anti-virus” software and subsequently load malware onto victims’ machines. Because there wasn’t a massive outbreak of these ads across the YieldBuild publisher network, it was very difficult to track down the cause of the particular instances. When something like this occurs, it goes against the wishes of both advertisers and publishers, website developers, programers, and of course, users. And what is most difficult: detecting the culprit.
It has now been confirmed that over the past two weeks, both DoubleClick and MSN were victims of what is known as a “drive by download,” an attack engineered by hackers resulting in the unintended download of computer software.
The preferred vehicles for these annoyances are actually banner ads (though they can also load via e-mail or pop-ups) that do not require a click to initiate downloads. Instead, the user’s browser tries to (and thinks it is!) load an advertisement but is in fact already downloading malware onto the computer.
*Triple check domain names: According to Wayne Huang, chief technology officer at Armorize Technologies (a web security firm): “A domain name that is registered too recently – which also bears a suspicious resemblance to one that an ad network already uses – is a red flag,”
*Try and equip your machine with a Malware detection program and anti-virus protection software
*Report suspicious ads to YieldBuild support! The more detail you have about the advertisement (including a firebug shot of the corresponding code), the faster we can work with our ad partners to figure out both (a) which network has been impersonated and (b) blacklist the faulty domains from serving again.
For more information regarding the technical details of the DoubleClick/MSN attack and the threats that it posed, check out Huang’s blog post.