DoubleClick Serves Up Vast
Malware Blitz"> On Nov. 12, Web sites marketing professionals were flooding industry e-mail lists with reports of complaints from readers that they have been receiving inappropriate ads. Marketing professionals have complained of their ad servers being "hijacked" at sites, including The Wall Street Journal, Discovery and BizJournals. Its not that the servers have been hijacked, Harvey said, but rather that a toolbar or some other mechanism is overlaying the intended ad with inappropriate content. "It looks like we are all in the same boat," one marketer said in a message to the mailing list.Its not clear yet whether all the sites are having the same problem, given that some sites are delivering the bogus anti-spyware and others are experiencing normal ads being replaced with ads for porn or other inappropriate material. To read about why the Google-DoubleClick deal is facing Senate scrutiny, click here. As for the bogus anti-spyware code its origin the German company AdTraff.com. AdTraff had not responded to inquiries as of the time this article posted. Google, which has proposed a $3.1 billion buyout of DoubleClick, declined to comment. Harvey said in a statement that this is "an industry-wide challenge; unfortunately, there are bad actors who misrepresent themselves and purchase advertising as an avenue to distribute malware. This has the potential to affect all businesses and consumers in the online environment." Even as DoubleClick monitors its online environment for malwareit has a dedicated team that works around the clock on the issuemalware writers are working to adapt to its new security measures, Harvey said in the statement. "As with any system (Norton, McAfee, etc.) designed to root out bad actors, there are going to be times when the bad actors are a step aheadwhen this occurs, we immediately cease serving the infected ads, and then work to refine our system so that similar ads are captured and disabled before they are ever served (just like when Norton provides a patch in response to a new threat)," the statement said. DoubleClick has alerted its clients, particularly publishing clients, of the need to pay close attention to the advertisers, agencies and networks with which they work. When clicked on, the bogus anti-spyware ad presents in the lower right-hand screen corner a dialog box informing users that their computer is infected and that they need to download a scanner immediately. Warning: If clicking on the following link, do not click "OK" to any dialog boxes; instead, simply close out the browser window. This is a link to the bogus infection scan thats presented to victims. Eckelberry said that the Trojan consistently reports that malware has been found even on systems known to the security firm to be perfectly clean. Sunbelt and other security researchers see this type of misleading ad, which uses convincing warning dialog boxes that look like legitimate Windows messages, on a regular basis. Adam Thomas, a researcher at Sunbelt, said the IP address for the AdTraff.com ads overlaps with those used by Innovative Marketing, which has a long history of misleading on the Internet. AdTraff.coms domain registration also lists the same Yahoo.com e-mail address as Innovative Marketing, Thomas said. "These guys are just slimy advertising guys," Eckelberry said. Ad hijacking is a constant problem, Eckelberry said. That makes it essential that online publishers and others who serve ads vet the advertisers to whom they hand their spaceand their visitors eyeballs. Editors Note: This story was updated to include comments from Sean Harvey, to correct its original depiction of DoubleClicks culpability and to clarify Web publishers culpability in serving malicious code.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Another marketer said his company had already shut down one of its networks that was devoted to serving up ads and had suspended all third-party ads on another site.