Google DoubleClick Unknowingly Served Up Malicious Ad

JavaScript-based drive-by attack automatically infected website visitors with fake antivirus

Major online ad network Google DoubleClick this month inadvertently posted a malicious advertisement on websites that infected users visiting sites running the ad.
This was no typical malvertising campaign attack, says Wayne Huang, CTO and researcher at Armorize, who discovered the threat. The ad automatically installs a rogue antivirus program on the victims computer and holds it for ransom until the user purchases software to fix it.
Its a JavaScript program that tries to exploit multiple vulnerabilities in your browser. It will succeed and then a malicious program is installed without the website or malicious ad tricking you to install it, Huang says.
The malicious program includes both a backdoor Trojan and the fake AV. Its a real Windows program, and if you try to execute another program, it wont let you do anything. It tells you your hard disk is failing, he says.
The malware in question is HDD Plus, which has been mysteriously spreading around the Internet during the past few days, including via msn.com, according to Armorize. A lot of people were talking about it, but no one said one of the means it was spreading was through DoubleClick, Huang says.
The attackers used a name similar to the legitimate AdShuffle online ad firm, but with an extra letter f, just enough to fool DoubleClick into posting the ad on websites. The ads first appeared around Dec. 4, and DoubleClick had caught and removed the malicious ad, which featured greeting cards as well as other items, by Dec. 8, according to Huang, who says he doesnt know how many users might have been infected.
The malware targets Internet Explorer, but it also uses exploits that go after PDF plug-in flaws in other types of browsers. Huang says most AV packages should detect the malware now. The attack demonstrates just how easy malvertising attacks can be executed, he says.
You dont need to compromise a website, just submit an ad on an exchange, he says. Its as easy as registering a similar domain name as an existing advertiser.
Huang is posting a blog
here today
with more details on the attacks.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Google DoubleClick Unknowingly Served Up Malicious Ad