Name-brand Web sites such as Expedia.com and Rhapsody.com have been serving up malicious banner advertisements this week, researchers said Wednesday.
Rigged banner ads built with Flash have worked their way into the popular travel site of Expedia and into the advertising rotation of the Web site of RealNetworks' Rhapsody music-subscription service, said a pair of researchers at Trend Micro. Unwary users who click on the tricked-out banner ads eventually end up with malware installed on their PCs.
"Somehow, the bad guys are managing to get these malicious banners into the ad supply chain," said Paul Ferguson, a Trend Micro network architect. He and a colleague, Ivan Macalintal, a senior research engineer, declined to guess what tactic was used to place the banners on the sites, but they pointed fingers at ad networks.
"These sites are relying on the ad supplier to vet the ads," said Ferguson. "But they're not doing their job. They're not doing any vetting."
It's getting worse, added Ferguson. "This is a real problem," he said. "We've been seeing a lot more of this lately, especially in the last two months or so."
Ferguson credited Sandi Hardmeier, a Microsoft MVP (Most Valued Professional) who runs the "Spyware Sucks" blog, with first reporting the malicious ads coming from Expedia and Rhapsody. Hardmeier posted extensive notes on the two sites' behavior on Monday. She noted that the malicious banner served by Expedia originated from a domain well-known for pushing malware.
"This is an easy way for attackers to surreptitiously spread malware," said Ferguson.
Representatives from Expedia.com and Rhapsody.com did not respond to requests for comment.
That wouldn't surprise Ferguson, who said there was a "50-50" chance a site would react when notified of malicious ads stemming from its domain. "Some people don't think it's their problem, at least until someone publicizes it," he said. "They really need to share the responsibility with the ad suppliers. It's damaging their brand's reputation, after all."