Malicious "ransomware" banner ads go undetected

Security researchers believe a legitimate toolkit used to create Flash animation is also helping cybercriminals fashion malicious banner advertisements that scare users into believing their machines are infected with malware.

Sandi Hardmeier, author of the Spyware Sucks blog, said Sunday that some malicious ads created using Fuse Kit are able to evade detection scans run by websites or third-party ad networks. She said Newsweek.com is the latest trusted website to unknowingly host a "malvertizement."

Simply visiting a page on the Newsweek site that contains the ad will cause a warning screen to appear that falsely tells users their machine is overrun by viruses. They are prompted to pay for and install a bogus anti-virus solution.

A Newsweek spokesperson could not be reached for comment.

"They are going to hit every site that they can, as often as they can, for as long as they can," Hardmeier wrote on her blog. "It worries me that I am seeing complaints about malvertizing-like symptoms all over the net implicating not only Newsweek but at other big names like MSNBC, Facebook, lime.com, Hotmail, MySpace and Yahoo."

Alex Eckelberry, president of security vendor Sunbelt Software, told SCMagazineUS.com on Monday that the free Fuse Kit product is a helpful tool to Flash designers and developers, but it also can aid cybercrooks by allowing them to embed malicious scripts inside ads.

Moses Gunesch, Fuse project director, told SCMagazineUS.com in an email Monday that Fuse is an open-source utility that is not responsible for the animation people use it to produce.

"Fuse has nothing to do with the content people produce with it," he said. "It's just a motion tool. That would be like blaming paint for an ugly painting. There is nothing in Fuse Kit that can be exploited for malicious purposes -- all it handles is animation."

Eckelberry said often the rogue ads are built so that, all of a sudden, they begin serving malicious content – much to the surprise of the websites on which they are hosted.

"It's like a time bomb," he said. "It just sits there and then – boom. I think it's a very serious issue. I think the ad networks need to start taking a very close look at who their advertisers are."

Larger websites typically sell ads themselves. Hardmeier said these sites must also vet their clients.

"Websites simply must increase their due diligence checks with any new advertiser," she wrote. "It is going to take time, and it is going to cost money, but what alternative do websites have if they want to protect and keep their readership, and if they want to avoid the inevitable end result of malvertizing, which is that more and more visitors to their sites are going to block all advertising."

See original article on scmagazineus.com