It isn't clear who coordinated the release of the malware, but it was someone who wanted to get users to pay by putting software on their computers that makes it appear as though there is a problem, when in fact it is the downloaded software that is causing the system to malfunction, says Wayne Huang, chief technology officer at Armorize Technologies, a web security firm.
The malware was one that caused an error message to appear at random on the PC. The error message would suggest downloading a program called HDD Plus to fix it. In fact, all that would happen was the user would be redirected to a web site that harvested credit card information and a payment.
This kind of malware doesn't tend to do lasting damage to a machine, Huang said, because the criminals using it want to control the computer, and in order for it to reach their web site it has to be working. The malware underscores something that Huang says more advertising networks, such as DoubleClick and Microsoft, should be wary of.
The malvertising was from a site called adshufffle.com. The name of the site was similar to adshuffle.com, which DoubleClick had worked with before and s in fact a legitimate purveyor of advertisements. Huang says it isn't hard to automate a check on the domain name registration date. Adshufffle.com was only registered a few days before the attacks started.
A domain name that is registered too recently - which also bears a suspicious resemblance to one that an ad network already uses - is a red flag, he says. Another good tactic would be equipping PCs with virus protection that focuses on the behavior of code, rather than trying to pick out a recognizeable file from a list.
Both Microsoft and DoubleClick, which is owned by Google, said their own malware detection systems picked up the intrusion in a short time.
Microsoft immediately identified the attack on our network and took action to remove the malware. We remain vigilant in protecting consumers, advertisers and our network from fake online insertion orders and are working directly with our agency media partners to verify and confirm any suspicious orders, said a Microsoft spokesperson in an emailed statement.
We can confirm that the DoubleClick Ad Exchange, which has automatic malware filters, independently detected several creatives containing malware, and blocked them instantly -- within seconds. Our security team is in touch with Armorize to help investigate and help remove any affected creatives from any other ad platforms, wrote a spokesperson for Google.
Huang wrote in a blog post outlining the technical details of the threat that he contacted DoubleClick on Dec. 9; about a week after other security firms had also detected a problem. Once DoubleClick was alerted to the impersonation, Huang said, he was impressed with the speed with which they dealt with the problem.
He added that while this kind of attack is geared to PCs, Macintosh users shouldn't be complacent. The only reason it isn't common on Macs is that they are less popular, Huang says.