Even online ads can be a security hole!

An article on the New York Times explains how a group or person was able to get malicious code inserted on the New York Times and gave readers the impression that a program was scanning their computer

New York Times Malicious Ad Code Inserted

New York Times Malicious Ad Code Inserted

THE NYTimes article explains that this attack via online ad systems have already hit companies like FoxNews.com and the The San Francisco Chronicle.

As you can see in the below letter from Publicis owned Starcom this is obvioulsy being taken very seriously and security is being tightened up around the ad insertion procedures…
Publicis-Starcom_Media-Partners_Letter (PDF)

Barclays increases security

An article at Out-Law explains how Barclays will be providing customers beginning next year with a hand-held car reader device allowing them to generate a one-time password.
As Out-Law explains the move follows an Apacs recommendation for more security measures:

“In view of the growing incidence of Trojans and phishing attacks directed at internet users, banks are recommended to move towards stronger authentication for their online banking customers,”

I recommend reading the article that provides very interesting information on how Barclays handles online fraud with regards to its customers :

Asked if the bank refunds victims of phishing attacks who revealed their security details to a fraudster, Holloway indicated that the professionalism of a particular attack will be relevant and each instance would be judged on a “case by case” basis. Barclays does not disclose how many of its customers have suffered such attacks.

And if you don’t know the site Out-Law it’s well worth subscribing to !

When will this be taken seriously ?

I have spent at least five hours recently, over the phone and on site, fixing computers that have been infected, not by viruses because I have got family and friends to install antivirus software like NOD32, but by spyware !

Annoying pop-up messages that often sound scary to novices, “You have been infected by spyware” “you must download this software”… And they are real pains to get rid of. You either have to install Spyware removal software, that have twice in my experience crashed the computer, or manually search and destroy (sorry remove) !

I just don’t understand, like with Spam, why there isn’t more done against people that advertise through this medium. A practice that can also result in seriously damage people’s lives when hackers take advantage of this to take the issue one step further…

Ads can be served to you by reputable web sites, that are unaware of the malicious intent behind the spyware installing companies, engaging in this type of business. Ads like these suddenly pop-up on your computer sometimes before you have even typed anything in the browser :

ClickSpring Ad Example

An article at the washingtonpost.com’s Security Fix discusses a recent spyware campaign and does a great initial job of researching the people behind the so called DeckOutYourDeck ad. This extract explains how the iDefense analyst Michael La Pilla followed as far as possible the security flaw that comes from the images in the Windows Metafile format :

Using software that captures and analyzes Web traffic, La Pilla found that the installation program contacted a Russian-language Web server in Turkey that tracks how many times the program was installed, presumably because most of this adware is installed by third parties who get paid for each installation. The data there indicate that the adware was installed on 1.07 million computers, La Pilla said, adding that all seven of the Internet addresses contacted by the downloader Trojan appear to be inactive at this time.