Threat Management, Incident Response, Malware, Phishing, TDR

Malicious banner ads appear on Expedia, Rhapsody sites

Malicious banner advertisements delivering malware have appeared on two popular websites, travel planning site and music-download site

The malicious ads were developed with the popular Flash programming software that allows the creation of animated graphics, according to security researchers at Trend Micro. The ads were first discovered by independent security researcher Sandi Hardmeier, a Microsoft Most Valuable Professional (MVP) who runs the "Spyware Sucks" blog available at, according to Trend Micro researchers.


Trend Micro detected the malicious Flash-based banner ad as SWF_ADHIJACK.A, according to a blog posting available at by the company's Bernadette Irinco.

"Based on initial analysis, clicking on the ad leads to several redirections, which eventually result in the installation of a rogue anti-spyware detected as TROJ_GIDA.A," she explained.

"We're now seeing technologies, like Shockwave and others, being re-purposed to inject malicious code into banner ads," Jamz Yaneza, a research project manager with Trend Micro, told


"We don't mean to pick out Expedia and Rhapsody," Paul Ferguson, an advanced threat researcher with Trend Micro, told "They're just the latest example of brand-name sites unwittingly serving up malicious ads -- it's no fault of theirs. Some malicious people are poisoning the ad supply chain."

Ferguson placed the blame on the ad-serving networks who act as agents for advertisers who want to place banner ads on websites. "They're the real problem," he said. It's like shuffling a deck of cards, and the ads a particular website gets depend on the algorithm the ad networks are using, he added.


Those networks need to do a better job of vetting their ads, Ferguson said. "If the advertisers who supply these ads don't examine what they're serving to their subscribers, we'll see more of a Russian roulette-type of situation, where visitors won't click on banner ads. [The sites] rely on advertising to bring in [revenue], and when consumers don't trust banners, it will affect the supply chain."


An Expedia spokeswoman acknowledged to that the company's website had been compromised earlier this week. "We discovered a banner ad on our network from an impostor advertiser who was able to circumvent Expedia's advertising policy in order to serve an intrusive pop-up window," Expedia spokeswoman Katie Deines told "We ceased delivery of the ad immediately upon discovering it."


Dealing with malicious banners is an industry-wide issue, with criminal organizations targeting many responsible and prominent media sites and reputable online brands, she added. "These organizations utilize increasingly insidious tactics to obfuscate the intended behavior of their ads, making it difficult for media providers to identify malicious campaigns."


Hardmeier told that it is extremely difficult for websites to keep malicious ads off their sites. This is because the bad guys use ‘allow' and ‘block' lists to control who will experience a redirect to a site hosting a redirected malware file, she said. “Invariably, these block lists will hide the redirect from the victim website's IP address, the host advertising network's IP address, and will hide the redirect from entire cities or states or even countries.


Hardmeier warned IT departments hoping to block these kinds of attack to “not  lock down Internet Explorer so much that your users dump all of their sites into IE's Trusted Sites Zone just to get them to work.” She also urged IT professional to “NOT depend on Firefox to protect your users. They will also see the redirect and pop-up window warning of infection. This is a social engineering attack as well as a drive-by download.”


She suggested that end-users should not depend on anti-virus software for protection. “It is of no help when it comes to the initial SWF that triggers the first redirect.” She does suggest, however, that they install a Flash blocker -- IE7Pro, for example -- which includes an ad and Flash blocker that “will make all the difference in the current dangerous environment.”


RealNetworks, which operates, did not respond to's request for comment.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.