March 30, 2011, 8:53 PM — Oops. European music-streaming service Spotify accidentally sent users malware hidden within banner ads that appear within the free version of its software. Spotify immediately turned off ads as it battled to find the errant banner, as it explained in a series of frantic tweets.
In so-called drive-by attacks, cybercriminals prepare otherwise innocent-looking advertisements that contain malware within their HTML code. They then buy advertising space on the sites (or adware) in question.
Ad-space vendors rigorously check the ads to ensure that the organization behind the ad is legitimate, but that clearly went wrong here. The cybercriminals were able to inject rogue Java programs onto some users' computers via a vulnerability in Adobe Acrobat.
According to anti-malware firm Dasient, drive-by-downloads are among the most popular methods of malware distribution. Late last year, both Google and Microsoft served malware on their Christmas sites after a similar attack affected advertising giants DoubleClick and MSN. In that case, the cybercriminals claimed to be from a reputable business but the URL they supplied was one-letter away from what it should have been. Many other sites have fallen prey to similar drive-by schemes, including the New York Times, simply because they are unable to individually vet every single ad.
Avoiding falling victim to the majority of attacks is easy. First, ensure your browser, Internet plug-ins, and Adobe software (Flash, Adobe Reader, etc...) is up to date. The attacks usually exploit known weaknesses in such software.