Google's advertising subsidiary DoubleClick and Microsoft’s MSN ads service both have admitted to falling for a clever scheme by some nasty black hat hackers. Malicious banner ads for both services were found to be trying to perform drive-by download exploitation and install malware on users' machines.
As with many great (or terrible) episodes of computer crime, a key component was clever social engineering. Hackers created a site called ADShufffle.com -- one letter away from ADShuffle.com, a major online advertising technology firm. Apparently that was enough to get the ads through screeners at Microsoft and Google.
Security firm Armorize appears to be the first to have noticed the attack. Wayne Huang chief technology officer of Armorize details the unusual incident in a blog, writing:
Known sites affected: Sites that incorporate DoubleClick or rad.msn.com banners, including for example Scout.com (using DoubleClick), realestate.msn.com, msnbc.com (using both), and mail.live.com. We'd like to note here it's very possible that multiple exchanges, besides those listed here, have been serving the fake ADShufffle's ads.
For all its ingenuity, the attackers used pretty standard exploitation packages, including Neosploit and the Eleonore exploit kit. Both kits are popular among black hat hackers, but also among security experts who purchase them to battle-test the security of corporate systems.
A Google spokesperson assured that the ads were only up for a very brief time and have since been terminated. The company is now investigating the incident. Microsoft did not release a statement, but likely is taking similar measures.
The incident is not Google's first brush with malware advertising. Previously malicious hackers were found to be leveraging Google's AdWords service. In that case, as well, the key to the criminals' success was using legitimate-looking links.