During the weekend, certain readers of the newspaper's online version received a Windows-like pop-up, falsely warning them that their computer was infected and then prompting them to purchase bogus anti-virus solutions to clear the infection. On Monday, the Times issued a notification, explaining the malware was caused by an “unauthorized advertisement” that made its way into the newspaper's ad stream.
About half of the ads on the NYTimes.com are handled by a third-party advertising vendor, and as a result are not reviewed internally for quality and security, Diane McNulty, a spokeswoman for the Times said in story that ran Monday on the paper's website. The ad in question, however, was approved by the NYTimes.com advertising operations team, she said.
The attackers behind the scheme initially ran legitimate ads from the phone company, Vonage, but at some point during the weekend, they began pushing malware, McNulty said.
Since Vonage had advertised with the Times in the past, the hacker was permitted to use an outside vendor to deliver the ad, though that vendor never was approved, McNulty said. This is what enabled attackers to switch their ad from the legitimate Vonage ad to the malicious one, she added.
“In the future, we will not allow any advertiser to use unfamiliar third-party vendors,” she said in the Times story.
McNulty did not respond to SCMagazineUS.com on Tuesday.
It is unclear how many users were subjected to the ad, but by Monday, it no longer was being served, the Times said.
The Times isn't the first company to fall victim to attacks of this nature. The website of The Daily Mail newspaper served up malicious ads for rogue anti-virus in December 2008 and Newsweek also has been hit with malicious banner ads.
“There has been a definite uptick in attackers wanting to put malicious code on legitimate websites,” Ryan Barnett, director of application security research at security vendor Breach Security, told SCMagazineUS.com on Tuesday.
Attackers are looking to infect legitimate websites -- commonly by means of SQL injection -- because they often have good reputations and large user bases, Barnett said. This incident should illustrate the importance of vetting the information that goes on one's website instead of blindly trusting information provided by business partners, he added.
In addition, publishers should consider letting only advertisers that provide banner ad images and text ads -- not IFRAME URLs -- onto their sites, Troy Davis, CEO of cloud web services vendor Seven Scale, told SCMagazineUS.com on Monday.
A spokesperson for Vonage could not immediately be reached on Tuesday.