There are numerous sites advertising free templates but you have to watch out. File sharing sites are the most common place to get a free template or from a friend if you read the joomla forums.
Nowadays more and more unsavoury distributors of templates have come on the scene trying to cash in on joomla success and catch unwary users.

Several companies in the past have been known to just put hard coded links into their files. Eg Themza whose method was to call an encoded gif{menu_col.gif} file to place a spam link in the menu and also in the footer. a sample of the code
A big discussion on themza is at http://forum.joomla.org/viewtopic.php?p=1827027 They also do not state they are gpl as they have restrictions on you altering their code. 

A newer trick is

to place a piece of code into a file and mark it, for those interested to look, as a security check

/*security feature START*/ if ($this->countModules("left") && $this->countModules("right")) {$compwidth="60";} else if ($this->countModules("left") && !$this->countModules("right")) rpub \'Nhgube yvax zhfg erznva vagnpg.\';qvr;}}purpx_sbbgre();'));function artxReplaceButtons($content){$re = artxReplaceButtonsRegex();} /*security feature END*/ ?>

I have jumbled the coded letters to prevent linking. or even clearer but strangely in the same file from joomlathemes.co aka joomlatemplates.me

 $host = substr(hexdec(md5($_SERVER['HTTP_HOST'])),0,1); $url1 = "http://malicious.me/3.1"; $text1 = array("Simple Joomla Templates","Best Joomla Template","Joomla Blog Template","Joomla Tema", "Free Joomla Template","Gratis Joomla","Plantillas Joomla","Customize Joomla Template","Joomla шаблоны", "Download Joomla Templates"); $url2 = "http://spam.com/ipage-review/"; $text2 = array("iPage Reviews","iPage Hosting","iPage Coupon","iPage Complaints", "iPage Review","iPage Hosting Review","iPage","iPage.com","User Reviews iPage", "iPage Reviews"); echo "".$text1[$host]." by ".$text2[$host]."";

This varies in its method by using an array to randomly change the bait text. Here is another interesting case for a template provider advertising wordpress templates on a joomla template.

div id="hdd">Templates Joomla 1.7 by Wordpress themes free

Since these practices came to light and people started avoiding them, it has become more common to use various different names that all lead to the same sites. freshjoomlatemplates aka qualityjoomlatemplates aka joomlaskins aka livedemos.net or joomlathemes .co aka joomlatemplates. me

It has been stated that these download sites are not "malicious" just "link spamming" template providers. Most of these sites provide legitimate free templates from other developers repackaged with the 'dodgy' code inside. It is up to you, the user to decide to use them or not.