Sponsored search results lead to malware

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Quoted text here. Click to load it

Sponsored search results lead to malware

Susan Bradley By Susan Bradley

The ads served by Bing and Google along with your search
results are linking more and more often to sites trying to
infect your machine.

Neither Bing nor Google effectively prescreens these bogus
advertisers, so it's up to us to detect and avoid them.

You may recently have used either Google or Microsoft's new
Bing search engine to find the popular Malwarebytes
Anti-Malware utility. If so, chances are good that the
sponsored ads alongside your search results contained links
to the very malware that the security tool is designed to

The three largest search sites Google, Yahoo, and Bing
regularly sell security-related keywords to criminals
looking to trick you into downloading and installing fake
anti-malware products. The crooks then steal your personal
information or hold your system for ransom before letting
you remove their malware from your machine.

The search providers have been aware of this for years. To
their discredit, they've done little to end the practice,
even though it's in their power to do so. The reason?
They're making money hand over fist from those sponsored
text ads and don't want to kill the goose that lays the
golden eggs.

Case in point: A Windows Secrets reader searched Bing for
Malwarebytes Anti-Malware. He clicked the first link
displayed and ended up on a site that installed a rogue
antivirus program on his PC. (See Figure 1.)

Bogus Malwarebytes links in Bing Figure 1. Malicious
sponsored ads are interspersed with links to legitimate
companies when you query search engines for the
Malwarebytes security program.

Rather than getting a tool to clean up a friend's infected
computer, this Web surfer ended up having to disinfect his
own. He and several other people I've heard from recently
were hit with the result of search services' selling
sponsored links without validating those links' legitimacy.

As search terms become popular, scammers jump at the chance
to have their bogus ads appear among the results. To get
their deceptive ads into these highly visible search
results, these criminals simply buy these high-traffic
terms from the search engines.

Big-name sites still serving up malicious ads

Another form of dangerous Web ads appears on otherwise
legitimate sites.

WS contributing editor Scott Dunn described a year and a
half ago in an April 17, 2008, Top Story infectious Flash
ads that achieved space on well-known sites. I also
reported on drive-by malware downloads in the June 11,
2009, Top Story. In the most-recent case, NYTimes.com and
other established sites hosted malware-infested ads. The
New York Times described the attack in a Sept. 14 article.

When malicious ads or "malvertisements" enter the
rotation on these sites, your system may become infected if
you merely view the page. This is especially true if your
versions of media players based on Java, Flash, or
QuickTime are out-of-date.

It's getting so bad that even top officials at Google
acknowledge the problem, though they haven't yet taken
steps to halt it. Eric Davis, head of anti-malvertising at
Google, stated at the 2009 Virus Bulletin Conference that
the industry needs to work together to combat this problem.

As reported by Dennis Fisher on Kaspersky Lab's Threat Post
site, Davis called for the creation of an industry
clearinghouse that would certify ad servers. Such an
organization would allow all search vendors and other sites
to use online-ad agencies without fear that a malicious ad
would insert itself into rotation.

Microsoft has decided to use the courts as a weapon against
malicious advertisers. A Sept. 18 Associated Press article
posted on the MSNBC site states that the company is
attempting to go after several suspicious ad vendors.

Even using Yahoo or a smaller search index won't prevent
such attacks, because second-tier engines have been hit
with malicious ads, too, as a Sept. 25 story by Deborah
Hale on Incidents.org reported.

Ways to fight back against online attack ads

Following my investigation of the malicious ads on Bing, I
contacted the Microsoft Security Response Center, which can
be reached via secure at microsoft.com. Within a few days,
the offensive ads were removed.

However, searching on the term malwarebytes combined with
such words as virus and antivirus continued to return
dubious destinations in Bing's sponsored-links section.

The same type of ads appears among Google results when you
search on similar terms. Depending on the location you
search from, you may see a link to Cyberdefender.com among
the results. This company is listed on the hpHosts site as
selling fraudulent software.

I reported this site to Google via a Web form on the Google
site. But to date, no action has been taken to remove this
and related malicious links.

Unfortunately, balancing the scales of justice takes time.
What can you do in the meantime to help protect yourself
from these malicious ads?

* Don't expect flawless protection from your Web browser of
choice. Internet Explorer, Firefox, and other browsers now
support bad-sites lists, but every malicious ad server may
not be known. Nor are browser security add-ons perfect.
McAfee SiteAdvisor, for instance, may include results that
are up to one year old, as WS contributing editor Mark
Edwards reported on Feb. 12, 2009.

* If you're not sure, verify the URL. Microsoft and Google
have large payrolls, but the search giants don't employ
literal armies to review ad submissions. If you're at all
suspicious of an ad's legitimacy, check the URL via a
service such as hpHosts, which tracks domain names that
researchers have reported as malicious.

* Help vendors by reporting malicious advertisers. To
report bogus ads on Google, e-mail security at google.com.
This is likely to be more effective than reporting the site
via the search giant's online form. If you discover malware
purveyors advertising in Bing's results, e-mail secure at
microsoft.com. Yahoo, however, offers only a Security
Phishing Report Form.

I do hope that Google, Microsoft, and Yahoo can put their
differences aside and correct this situation. In the
meantime, be careful when you search and be suspicious of
sponsored links. Too many of them are fictitious these days
and dangerous.

Site Timeline