Rhapsody, Expedia Websites Spawning Malware

Websense Inc., on January 22, 2008, published a research report that discusses the trend of legitimate Websites being compromised and converted into malware-pushing sites. The report, which classified 51% of sites as malicious during the last six months of 2007, claims that these sites had been subject to compromise by exploit code. The rest 49% were deliberately crafted to spread malware.

The conclusion Websense draw is further reinforced when experts from Trend Micro, a security firm, reported that two Websites - Rhapsody.com and Expedia.com - have been producing banner ads to trick visitors into downloading counterfeit anti-spyware.

Security experts at Trend Micro also reported that during the third week of January 2008, some more Websites were maliciously attacked. These belonged to the Embassy of the Netherlands in Russia, the Embassy of Ukraine in Lithuania, and the Ministry of Foreign Affairs in the country of Georgia. The sites were all compromised to affect visitors with attack code.

According to Research Project Manager Jamz Yaneza at Trend Micro, Rhapsody and Expedia are both generating Shockwave ads containing malware. Networld published this in news on January 30, 2008.

Yaneza further said that the Expedia site serving a banner having malicious code dubbed SNF_ADHIJACK.A attempts to take its visitors to another malicious site that downloads and installs the TROJ_GIDA.A Trojan.

Network Architect Paul Ferguson at Trend Micro commented that the online crooks are somehow managing to add these damaging banners to the supply chain of ads. Computerworld published this in news on January 30, 2008.

Ferguson credited Microsoft's Most Valued Professional (MVP) Sandi Hardmeier, running the blog "Spyware Sucks", with being first to report the flow of malicious ads from Rhapsody and Expedia. Hardmeier posted elaborate notes on January 21, 2008 describing the behavior of these sites. She noted the harmful banner coming from Expedia was linked to a domain widely known for spamming malware.

Spokeswoman Ronda Scott for RealNeworks confirmed that Rhapsody served malicious ads from its music service. She said this was made known to Real on January 20, 2008 after which the ads were cleared on January 24, 2008, according to news from Computerworld.

» SPAMfighter News - 2/8/2008