Mainstream children's Web sites host a glut of adware, a security firm said this week, proof that spyware makers are targeting kids in an attempt to slip by parents and get their software onto home computers.

Over a three-month period, said Kraig Lane, a group product manager in Symantec's consumer division, his lab took new PCs out of the box, connected them to the Internet without monkeying with any of the default settings in Windows XP SP2, then surfed well-known sites in several categories, ranging from kids and sports to news and shopping.

"Our testers went to name-brand Web sites, and spent 30 minutes to an hour reading or interacting with sites," said Lane. Testers tried to emulate real-world browser by reading articles, interacting with the site's features, but not explicitly looking to accumulate files by downloading. "Then they ran spyware detection software and counted up what kind of security risks and how many files had been installed on the machines," Lane said.

Children were the biggest target for spyware makers, by far. The trip to several kids' sites installed a whopping 359 pieces of adware on Symantec's PCs, five times more than the nearest category rival, travel. Popup ads proliferated on the machines after that, making them virtually unusable.

Symantec's test didn't spot any spyware installed on the PC that browsed kids' sites.

"That makes sense when you think about it," said Lane. "Kids may be the biggest target for advertisers--they know that children beg their parents to buy things--but kids don't have access to credit cards, which is what spyware makers are after."

Each category of sites installed a different mix of adware and spyware, said Lane, that made at least some economic sense. The travel sites Symantec browsed, for example, installed 64 pieces of adware but also 2 pieces of spyware. "Spyware authors consider the site's demographics, and use that information to target certain types of threats. In travel, for example, we saw some spyware programs installed because visitors to travel sites do some credit card transactions."

The "cleanest" category, said Lane, was shopping. "Shopping sites don't want to distract you [with pop-ups]," said Lane. "They have you there, and the site operators are only thinking 'let's complete the sale,' not how to install adware on their sites."

"This is a great technique when you think about it," said Richard Stiennon, director of threat research at anti-spyware software vendor Webroot. "They're basically inducing kids to install the adware that their parents might have avoided."

But Stiennon thinks that the tide may be turning on spyware creators. Not because of any technological leap, but because Eliot Spitzer, the New York Attorney General, recently filed his first lawsuit against a spyware vendor. http://internetweek.com/security02/showArticle.jhtml?articleID=161601947 "I see this as a key event in the fight against spyware," said Stiennon, who earlier this month http://www.techweb.com/wire/security/162100621 estimated that adware makers alone generate $2 billion in revenues annually. "When Spitzer goes after someone, that usually means everyone else will start to go after them.

"If I were a spyware or adware company, I'd be quaking in my boots right now," Stiennon added.