Poisoned TV website adverts lead to PC and Mac scareware

February 21, 2008 Sophos Press Release

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have advised firms to properly secure their user's web activity following the discovery of poisoned adverts affecting high profile websites.

Sophos has confirmed reports that the website of BBC competitor ITV has been the victim of a poisoned web advert campaign, designed to deliver scareware to Windows and Mac users. A posting on the website of The Radio Times, Britain's leading TV listing magazine, confirms that a similar offending advert was removed from their site yesterday.

Sophos experts discovered that a Macromedia Flash file, detected as Troj/Gida-B, was injected into traffic served up by ITV.com via third party advertising agencies. Sophos has identified that the adverts are designed to promote a program called Cleanator (on Windows) or MacSweeper (on Apple Macs). Both programs claim to detect "compromising files" on your computer, and encourage users to purchase a full version of the package.

Pop-up Cleanator message displayed
Users may see a pop-up message urging them to download Cleanator or MacSweeper.

Warning from Cleanator
The programs claim to have found 'dangerous files' and urge users to pay for a full version.

"TV viewers are accustomed to adverts getting in the way of what they want to watch - they're probably not as used to adverts on their favorite TV websites delivering unwanted code straight to their desktops. The worrying thing is that it's quite likely that it is not just these websites that are affected - other websites could be carrying poisoned adverts," said Graham Cluley, senior technology consultant at Sophos. "Companies who wish to protect their users from visiting what they may consider to be perfectly legitimate websites need to start scanning for malicious code at the web gateway, just as they would at the email perimeter or on the desktop. Sophos has seen an explosion in the use of the web to spread malware, adware and spyware - and firms need to take appropriate measures or risk having unauthorized code running on their employee's computers."

"Websites often use third parties to serve up their advertising for them. Website owners should ask the third party agencies they use what procedures they have implemented to positively vett the adverts that they deliver for malicious content or unsavory links," continued Cluley. "After all, it is the website that is going to receive the angry complaints from their legions of users."

MacSweeper
The people behind the adverts encourage Apple Macintosh users to download a piece of scareware called MacSweeper.

Last month Sophos published its annual Security Threat Report, which detailed how criminals are increasingly using the web to generate revenue and spread malware. 6000 new webpages are detected by Sophos every day, carrying malicious code - and there are increasing sightings of online adverts being poisoned to direct browsers to dangerous sites.


Simply click on the arrow above to stream the podcast through your browser. Alternatively you can download it to your MP3 player.

Sophos continues to recommend companies protect their desktops, gateways and servers with automatically updated protection against viruses, spyware, hackers, and spam.