Phishing Attacks Using Banner Ads to Spread Malware

Security problems involving banner advertising networks go beyond the recent distributed denial of service (DDoS) attack on DoubleClick. Banner networks, with their ability to place code on hundreds of outside sites, offer a vehicle for the rapid distribution of trojans and other malware, as well as a way to deface web pages. In a troubling development, phishing scams have recently demonstrated the ability to install keylogging trojans via banner ads.

The attack on DoubleClick caused performance problems for the network's clients. But in recent weeks, several smaller banner networks have been used to inject malicious code into web sites. In each case, the banner code serves as the trigger for a string of exploit scripts that trick Internet Explorer into downloading malware or spyware.

SANS analyst Tom Liston has documented several instances of Browser Helper Objects (BHOs) being installed through third-party banners appearing on web sites. In late June, an exploit used a banner on the yesadvertising.com network to auto-download a trojan that steals bank login information. The banner code launched a popup ad, which redirected the browser to a page that installed a keystroke logger.

Last month Liston noted banner ads being used to install spyware, including an adware BHO from Addictive Technologies that is widely considered a trojan, as it can retrieve and install files from an outside web or FTP site.

The manipulation of banner applications dates back to 2001, when a hacker used a compromised banner script to deface the Security Focus web site. The first instance of banner ads being used to download malicious software was discovered last fall, when a banner on the FortuneCity.com site installed the Qhosts browser hijacker, which altered the Internet Explorer home page on infected machines. The adoption of these tactics in phishing attacks is more problematic, as phishing scams seek to steal bank login information, which can then be used to loot their accounts.

Policing banner networks is problematic, as they range from large, reputable networks like DoubleClick to small banner exchanges, whose members display banners to share traffic with other sites. Scripts that manage banner ads are widely available in PHP and Perl, and can be easily installed on many shared hosting accounts and dedicated servers.

In several of the recent incidents, banner networks appear to have been compromised by hackers and used to distribute malicious code. Quality control is another challenge, since members of banner networks typically submit their own banner and URL. While many applicants are reviewed prior to acceptance to a network or exchange, participants are often free to substitute new banners or direct traffic to different target URLs.