Network News

X My Profile
View More Activity

When Ads Go Bad

A long-time trusted source recently alerted me that some inappropriate advertisements were running on Neopets.com, a Web site full of addictive Macromedia Flash games aimed at pre-teens. Surprisingly, the curators of Neopets.com -- major media conglomerate Viacom -- are disavowing responsibility for the racy ads, saying they did not exist on their network and instead were the result of adware or spyware on my source's computer.

Included is a screenshot taken of one of the multiple ads I found on the site, which linked back to Internet dating site True.com. A Neopets.com spokesperson said the ads could not have possibly have been served through its site, and that the ads must have been displayed by malicious software.

"This appears to be a 'malicious' software program and we are aggressively investigating its origin," the company said in an e-mailed statement. "We would never accept this type of ad on any of our company's sites as it doesn't meet any of Neopet's standards."

Neopets could not specify any particular adware or software in existence today that exhibits this type of ad-swapping behavior, but offered to put me in touch with an expert who could talk about how it would be theoretically possible for such malware to exist. Scans with several anti-spyware and anti-virus products returned a clean bill of health on my source's PC.

I've heard of adware and spyware that hijacks search results, and adware that serves pop-up and pop-under ads. But I don't believe I've ever seen end-user malware that replaces legitimate ads with specific, out-of-network ads that just happen to fit the formatting, size and shape of the host Web site.

Here's another snapshot of an ad on Neopets.com for Zango, a notorious adware company that has a long history of advertising its software in the most unusual places.

Eric Sites, a researcher for anti-spyware firm Sunbelt Software, said he's never heard of such adware or spyware either. Sites said some ad networks will give clients a preview of the ads before customers decide whether to deploy them on their sites, while other networks lack that feature.

"The big problem is when the ad network sublets space," to third-party ad networks, Sites said.

Two add-ons for Firefox can let users decide which ads they'd like to see. The "noscript" add-on blocks most ads, and all Flash-based advertisements, unless the user has temporarily or permanently allowed ads from a distributor. The "Adblock" extension takes blocking ads on Firefox to another level entirely.

So what say you, readers? Has anyone heard of or seen adware/spyware that does what Neopets described?

Update, 4:04 p.m. ET:Steve Stratz, a spokesperson for Zango, had this to say in an e-mail today: "We are aware of an issue involving banner ads -- not just Zango ads, but banner ads from a number of prominent online advertisers –-- being inserted unexpectedly on inappropriate Web sites, including those focused primarily on visitors under the age of 18. Our security team has been working this issue and has forwarded its findings, which we believe to be a virus, to others looking to stop this problem, including federal law enforcement authorities. We welcome any and all information related to this issue, not to mention the opportunity to more broadly share the findings from our investigation to date and collaborate in tracking down the culprit(s)."

By Brian Krebs  |  March 10, 2008; 12:34 PM ET
Categories:  Fraud , From the Bunker , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: The FDIC Computer Intrusion Report
Next: Microsoft Patches 12 Office Security Holes

Comments

Sandi Hardmeier, noted MS-MVP Internet Explorer\Windows Security has by far and away the most detailed information on malicious banner ads anywhere I've seen:
http://msmvps.com/blogs/spywaresucks/default.aspx

She's the go to source without a doubt.

Posted by: TeMerc | March 10, 2008 1:04 PM | Report abuse

Of course its theoretically possible. But its technically difficult. You could have spyware that poisons the local hosts file to redirect common ad domains- like double click- to serve up separate ads from a different provider with the intent of distributing malware and botnets.

This way malware authors don't have to work to create malware that exploits holes on local PC's. They just serve up trojan programs that masquerade as the software the user wanted to download.

Rather than being accused of serving malware or compromising PC's, which is a felony, Malware authors can always claim that botnet users "opted in" to join the network.

Posted by: BelchSpeak | March 10, 2008 1:14 PM | Report abuse

Hunh, I'm betting they sub their ads and someone goofed. Instead of claiming it's the users fault ("you're infected!!!"), they should first verify that either they (Neopets) or the sub didn't make a mistake first.

Posted by: reswob | March 10, 2008 1:19 PM | Report abuse

Most likely, Bad Guys (tm) have managed to poison the ad supply-chain somewhere along the way, and feed malicious and/or adult advertisements into the supply. This sets up an unfortunate situation where everyone involved says "It's not me" and the problems festers.

Unfortunately, this particular problem is becoming worse, not better. No one is really policing the ad supply chains or the third-party affiliates.

- ferg

Posted by: Fergie | March 10, 2008 1:21 PM | Report abuse

Adblock Plus from Mozilla is a better choice than Adblock:

https://addons.mozilla.org/en-US/firefox/addon/1865

Posted by: Gin/ | March 10, 2008 2:38 PM | Report abuse

Just to throw it out there, this is a great customized "hosts" file that not only blocks ads, but most malicious websites regardless of which web browser is in use:

http://www.mvps.org/winhelp2002/hosts.htm

It is usually updated once a month, so either check for updates or subscribe to the mailing list. Also, as is wisely prescribed anyway, using a limited user account will prevent any modifications to the "hosts" file by malicious programs as well as protect the system overall.

Posted by: TJ | March 10, 2008 2:53 PM | Report abuse

I'm checking my hosts file to see if neopets.com is already in there.
If not, I'm adding it.

A poorly secured site is almost as bad as a direct threat and should be treated accordingly.

Posted by: Ken L | March 10, 2008 4:29 PM | Report abuse

The problem with 3rd-party advertising is that there are very limited 'checks & balances' between server and client. Clients usually have no idea what ads are being served on their site because they have given ALL control to the advertiser for that piece of their site's real estate. So, it is very easy for the wrong ads to end up on a site that doesn't want them.

Why? Because most ad companies really don't monitor (or care) what they serve you. If someone with an ad pays the adservice enough, those ads will infiltrate many sites.

The problem with internet ads is that there is no responsibility ANYWHERE in the chain. I pay for an ad to be distributed (even if it is badware) ... the adserver serves it ... the client site allows it. Unlike any other media, when something goes wrong with 3rd-party internet advertising, everyone blames the other and all claim "stupidity" about a problem. There is no accountability from ANYONE! Just try to get compensation for a trojan or a bad product from any of them. I hate and don't trust anyone in that circle at all. It's all about 'free money without responsibilty' .. and that is all!

Believe me, I see it all the time ....

... rick752 - author of the EasyList Subscription Filters for Adblock Plus.

Posted by: rick752 | March 10, 2008 6:31 PM | Report abuse

This must be a serious issue if Steve had to be pulled away from his Wikipedia editing.

Posted by: Sean | March 10, 2008 6:51 PM | Report abuse

Sean, now THAT'S funny...and rings very true. Actually, I believe Zango knows exactly what is happening and it is likely done by them, for them and/or with their approval.

And Rick, you hit the nail on the head. The internet ad delivery system is a HUGE problem. It ranks right with affiliate marketing as one of the Web's dirty little secrets, and biggest problems.

Posted by: The Dean | March 10, 2008 9:44 PM | Report abuse

I have been seeing more of these, it was mildly interesting seeing some popup scan C:\ when I actually operate from /home.

D.

Posted by: DOUGman | March 10, 2008 10:24 PM | Report abuse

Brian, of course you would be familiar with asware that spawns pop-unders. The Washington Post website is notorious for this sleazy and sneaky behavior. What a waste of resources! I'm sure when I click the ads away, someone is counting it as a set of eyeballs on the content. How lame!

Posted by: Pete from Arlington | March 11, 2008 9:51 AM | Report abuse

Asware? How Freudian. I meant adware.

Posted by: Pete from Arlington | March 11, 2008 10:50 AM | Report abuse

brian -- looks like you need to really revise this post. i've seen these all over the net and there is no issue with the sizes. it's extremely easy to match the requested ad size. this isn't a neopets problem (or any publisher problem).

Posted by: lurker | March 11, 2008 1:06 PM | Report abuse

My company has seen it before. So far, the malicious program has always resided on the user's computer (because it does not show up network wide) and causes the display of a similar ad size right over the top of the legit ad. In our investigations (we worked with a client who had an infected computer) we can see the ad call come in and the ad go out, but the user sees a completely different ad. It is actually pretty sophisticated stuff (time of day limits, frequency caps, etc.).

As for "no responsibility" comment - not true. It costs us money when this happens because publishers stop displaying ads or advertisers pull campaigns. Moreover, as a third party network, our reputation for quality is our life blood. Without it, we can't get access to premium inventory or advertisers. Unfortunately, it only takes one or two bad actors to taint the entire industry.

Posted by: LawHoo97 | March 11, 2008 1:13 PM | Report abuse

Why not just use the great "service" at http://hosts-file.net/ ?

Download the host text file and your computer will not seek out those ads.

Posted by: Mark Palmer | March 11, 2008 3:21 PM | Report abuse

So, are you guys (Wanejon, LawHoo97 and lurker) saying that that Brian's machine is infected? "It's not NeoPets or the publishers,etc." He grabbed screenshots of the ads gone bad - I assume on a PC of his own...

Posted by: Pete from Arlington | March 12, 2008 10:15 AM | Report abuse

There are two commonly abused vulnerabilities that can account for these ads showing up on some system but not others.

The first is to make sure your Flash version is up to 9.0.115.0 since this is a very bad vector to expose to the Internet if it is not updated.

The second is to ensure that if you are running Sun Java to update to the new version 1.6.0.5 (if you are running 1.6.x.x), just go to your control panel and see if there is a Java icon if there is choose the update tab and get the latest version for your platform since 1.4, and 1.5 are still supported.

IMHO I recommend getting the 1.6 version since it runs faster.

So technically it can be both the ad space specifically if it is Flash since Flash supports jscript and has had multiple updates in the last 3 months for vulnerabilities of this sort.
An ad can be infected with the malicious script and show fine on some systems and show the redirected ad on others.

Another very helpful tool comes from http://secunia.com in the form of their PSI or Personal Software Inspector as it will tell you which applications need to be updated. This is especially important for those applications that are extended to the web browser since that is the most common attack vector in use today.

Fred Dunn

Posted by: Update Your Sun Java | March 12, 2008 11:04 AM | Report abuse

I first received complaints about inappropriate and/or malicious advertising appearing on Neopets in December last year, but have not been able to reproduce the problem. I'd be grateful if anybody who has seen the problem could contact me (Brian has my email address).

Sandi

Posted by: Sandi Hardmeier | March 12, 2008 6:55 PM | Report abuse

Hi, I'm a neopets player. I just found this article. The ads on the site are very distracting to the game play. The owners of Neopets are increasingly adding more and more ads to the site. No one I know ever click them, and most try to ignore the ads.

Could someone please tell these guys that less is more?

The actual game play used to be fun, but now there are so many ads. I'd like to find out how many people actually click them, and if adding yet another advertisment helps. There used to be just one little tiny ad. Then they had a top banner. Now they have side banners, top banners, bottom banners, and ads just everywhere. They even redesigned the games room, where a lot of people play, to ad yet another ad there!

Posted by: Smudgeoffudge | April 8, 2008 2:58 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company