New York Times inadvertently sold ad space to hackers

Share this article:
Attackers appearing to be advertising for an internet phone company switched their tactics over the weekend and began offering rogue anti-virus programs to readers of the The New York Times website, the newspaper revealed late Monday.

During the weekend, certain readers of the newspaper's online version received a Windows-like pop-up, falsely warning them that their computer was infected and then prompting them to purchase bogus anti-virus solutions to clear the infection. On Monday, the Times issued a notification, explaining the malware was caused by an “unauthorized advertisement” that made its way into the newspaper's ad stream.

About half of the ads on the NYTimes.com are handled by a third-party advertising vendor, and as a result are not reviewed internally for quality and security, Diane McNulty, a spokeswoman for the Times said in story that ran Monday on the paper's website. The ad in question, however, was approved by the NYTimes.com advertising operations team, she said.

The attackers behind the scheme initially ran legitimate ads from the phone company, Vonage, but at some point during the weekend, they began pushing malware, McNulty said.

Since Vonage had advertised with the Times in the past, the hacker was permitted to use an outside vendor to deliver the ad, though that vendor never was approved, McNulty said. This is what enabled attackers to switch their ad from the legitimate Vonage ad to the malicious one, she added.

“In the future, we will not allow any advertiser to use unfamiliar third-party vendors,” she said in the Times story.

McNulty did not respond to SCMagazineUS.com on Tuesday.

It is unclear how many users were subjected to the ad, but by Monday, it no longer was being served, the Times said.

The Times isn't the first company to fall victim to attacks of this nature. The website of The Daily Mail newspaper served up malicious ads for rogue anti-virus in December 2008 and Newsweek also has been hit with malicious banner ads.

“There has been a definite uptick in attackers wanting to put malicious code on legitimate websites,” Ryan Barnett, director of application security research at security vendor Breach Security, told SCMagazineUS.com on Tuesday.

Attackers are looking to infect legitimate websites -- commonly by means of SQL injection -- because they often have good reputations and large user bases, Barnett said. This incident should illustrate the importance of vetting the information that goes on one's website instead of blindly trusting information provided by business partners, he added.

In addition, publishers should consider letting only advertisers that provide banner ad images and text ads -- not IFRAME URLs -- onto their sites, Troy Davis, CEO of cloud web services vendor Seven Scale, told SCMagazineUS.com on Monday.

A spokesperson for Vonage could not immediately be reached on Tuesday.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.