Microsoft Goes Hunting for Malvertisers. Are They the Same Guys Who Hacked the New York Times?
by Peter Kafka
Posted on September 18, 2009 at 9:46 AM PT
The hackers who duped the New York Times (NYT) into serving a bogus ad last week may be part of a growing trend. Or they may just be very active: Microsoft says it has been hit by a similar attack and is suing the people behind it.
But first the company needs to figure out who the culprits are.
Microsoft (MSFT) has filed five so-called “John Doe” civil suits against the hackers, whom it can’t identify yet. Redmond accuses the unknown attackers of a variety of crimes, from fraud to copyright infringement; it says it hopes the filings will “deter malvertising in the future.” (See full text of the complaint below.)
There’s a decent chance that the Microsoft bad guys are, in fact, the same guys who hijacked the Times last weekend. The methodology they used to get the ads onto Redmond’s MSN publishing network seems similar, and so does the fake “virus detected” warning the ads use to confuse surfers.
And, intriguingly, online ad monitor Click Forensics says it thinks it has identified a link between the malware that the Times served up and the stuff that the Microsoft attackers were trying to distribute. The company also thinks the two attacks are connected to a click fraud ring it has dubbed the “Bahama Botnet.”
Even if Microsoft does end up getting its hands on these guys, I think we’ll be seeing more of this stuff. Since the Times story broke last weekend, I’ve been talking to a variety of ad tech experts about the incident. And it sounds as if the technique the hackers used to compromise the paper–essentially, passing themselves off as legitimate advertisers–will be very difficult to stop if someone is determined to use it.
The best solution I’ve heard so far: Monitoring systems that can quickly detect an attack and warn publishers that they’re running malvertisements. It’s unclear how long the bogus Times ad stayed up, but the fact that it got switched on over the weekend indicates that the attackers assumed the paper would be slow to react.
Comments
Peter, what do your experts say about the way the code was hosted? It seems in all of these incidents, the actual malware was hosted on a compromised web server. How are the hackers pulling that off, I wonder? Also, do we know anything about what happens to a Windows user who stumbles into this exploit? Are they automatically infected, or do they have to click on a page link? And if so, what with?
At the risk of becoming a broken record on this, I think too many words are being expended on tut-tutting the NY Times et. al., when so little of real substance is known about how this attack works and what it does to its real victims.
Perhaps your experts can offer us some news we can use.
Posted by Mitch Stone at September 18th, 2009 at 11:35 amYou should upgrade to a CD player, Mitch! Wave of the future.
You get infected if you the ad convinces you to download an .exe file. Unclear what happens after that (anyone want to try it and tell us?) though the stuff the Click Forensics guys are looking at is designed to harness mayn computers w/click fraud in mind, as noted above.
Posted by Peter Kafka at September 18th, 2009 at 12:02 pmI didn’t get your joke, Peter. Maybe because it’s a Monday.
I read the Click Forensics article. It did not help my comprehension of the situation very much, and I’m more technical than average, so I doubt many would get anything useful out of it.
In any event, as nearly as I can tell, my main point hasn’t been addressed by the experts. My reading and personal experience with this thing suggests that web servers are being hacked to host this malware. To me, that seems like a bigger story than the Times running an ad from a company they didn’t throughly vet — as if anyone does that anyway.
Posted by Mitch Stone at September 21st, 2009 at 9:34 am