ITV Website Forces Scareware Package Through Banner Ads

Users who visit the Website of the UK broadcaster ITV face the danger of pop-up programs that expose them to scareware software called Cleanator. The pop-ups display malicious banner advertisements and upload Cleanator scare package. These banner ads are also displayed on the Website of Radio Times.

Radio Times assured that it cleared the disturbing ads from its site on February 20, 2008, following reports about the problem the previous day. But for the ITV site, the solution of this problem is still not confirmed.

Cleanator is described as a fake security application that displays false alerts and misguided scan results. The motive behind this strategy is to frighten users into buying the full edition of the software package. Aggressive tactics of advertising along with the application of a Trojan downloader help in distribution of the program.

For installation, this damaging software uses tactics that scare user by informing that malware or spyware is loaded on his system. The software then makes an offer to get away from this problem in return of payment. Besides, these applications often come with other malware to serve other purposes. Usually, applications of this kind arrive as antivirus or anti-spyware software.

The attack launched on Radio Times and ITV does not directly target the site of each other but indirectly via scripts of the third party. There might be other sites as well, which are still unidentified but possibly affected.

According to preliminary analysis by Sophos experts, a PHP code redirect to an affiliate site of Cleanator was thrust into the advert traffic from ITV.com through third-party groups. It is believed malware features in the new attack.

Senior Technology Consultant, Sophos, Graham Cluley, explained how one of the affiliated advertisement Websites of ITV carried a link pointing to Gida-B, a malicious file that loads its own copy, which in turn, installs a script that directs visitor to a Cleanator site, as reported by Channelregister on February 21, 2008.

As the user lands on one of the affiliate sites of Cleanator, he finds himself trapped in a series of pop-ups that are hard to avoid. Sophos believes that people behind this attack are from the same group that recently punted with the scareware package of Mac Sweeper.

» SPAMfighter News - 2/25/2008