New York Times inadvertently sold ad space to hackers

Share this article:
Attackers appearing to be advertising for an internet phone company switched their tactics over the weekend and began offering rogue anti-virus programs to readers of the The New York Times website, the newspaper revealed late Monday.

During the weekend, certain readers of the newspaper's online version received a Windows-like pop-up, falsely warning them that their computer was infected and then prompting them to purchase bogus anti-virus solutions to clear the infection. On Monday, the Times issued a notification, explaining the malware was caused by an “unauthorized advertisement” that made its way into the newspaper's ad stream.

About half of the ads on the NYTimes.com are handled by a third-party advertising vendor, and as a result are not reviewed internally for quality and security, Diane McNulty, a spokeswoman for the Times said in story that ran Monday on the paper's website. The ad in question, however, was approved by the NYTimes.com advertising operations team, she said.

The attackers behind the scheme initially ran legitimate ads from the phone company, Vonage, but at some point during the weekend, they began pushing malware, McNulty said.

Since Vonage had advertised with the Times in the past, the hacker was permitted to use an outside vendor to deliver the ad, though that vendor never was approved, McNulty said. This is what enabled attackers to switch their ad from the legitimate Vonage ad to the malicious one, she added.

“In the future, we will not allow any advertiser to use unfamiliar third-party vendors,” she said in the Times story.

McNulty did not respond to SCMagazineUS.com on Tuesday.

It is unclear how many users were subjected to the ad, but by Monday, it no longer was being served, the Times said.

The Times isn't the first company to fall victim to attacks of this nature. The website of The Daily Mail newspaper served up malicious ads for rogue anti-virus in December 2008 and Newsweek also has been hit with malicious banner ads.

“There has been a definite uptick in attackers wanting to put malicious code on legitimate websites,” Ryan Barnett, director of application security research at security vendor Breach Security, told SCMagazineUS.com on Tuesday.

Attackers are looking to infect legitimate websites -- commonly by means of SQL injection -- because they often have good reputations and large user bases, Barnett said. This incident should illustrate the importance of vetting the information that goes on one's website instead of blindly trusting information provided by business partners, he added.

In addition, publishers should consider letting only advertisers that provide banner ad images and text ads -- not IFRAME URLs -- onto their sites, Troy Davis, CEO of cloud web services vendor Seven Scale, told SCMagazineUS.com on Monday.

A spokesperson for Vonage could not immediately be reached on Tuesday.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Ground system for weather satellites contains thousands of 'high-risk' bugs

Ground system for weather satellites contains thousands of ...

An audit of the Joint Polar Satellite System ground system revealed thousands of vulnerabilities, most of which will be addressed in two years when the next version of the system ...

Threat report on Swedish firms shows 93 percent were breached

The study by KPMG and FireEye also found that 49 percent of detected malware was unknown.

Former acting HHS cyber director convicted on child porn charges

Former acting HHS cyber director convicted on child ...

Timothy DeFoggi, who was nabbed by the FBI last year in its Operation Torpedo investigation was convicted by federal jury in Nebraska.