New York Times serves up rogue ads to readers

Readers of the The New York Times website might have found themselves facing rogue anti-virus advertisements that made their way onto the newspaper's site over the weekend.

The malware, which affected only some readers of, was the result of an “unauthorized advertisement” that made its way onto the newspaper's ad stream, the paper said in a statement on its website Sunday.

Attackers were able to inject malicious JavaScript code into a Times ad, thereby serving up the malware to readers, Troy Davis, CEO of cloud web services vendor Seven Scale, wrote in an analysis of the malware Sunday.

“This isn't particular to, and the method of injection is common enough that it could have happened on dozens of large websites,” Davis told in an email Monday.

Readers who encountered the malware saw a Windows-like popup that falsely warned them that their computer was infected, Graham Cluley, senior technology consultant at security vendor Sophos, told in an email Monday.

In typical rogue anti-virus fashion, the malware caused the user's browser to open a screen that appeared to be a Windows “system scan,” during which progress bars and a list of malware that was supposedly being found were displayed.

“The Times believes it has eliminated these ads,” technology writer Riva Richmond said in a Times' Gadgetwise blog post on Monday.

Cluley said the poisoned ads no longer are being served to readers.

According to reports, the Times uses a third-party ad network vendor to manage the delivery of ads on its site. A spokesperson for the newspaper could not be reached Monday for comment.

Cluley said that he thinks the Times' ad vendor is to blame for the incident.

“I think it's fair for them [the paper] to expect that the third-party network will be taking the appropriate steps to ensure that the content they are delivering is not polluted -- just as you would not expect water from your water company to be contaminated," he said.

One Times reader named "Chris," in a comment to Richmond's blog post, questioned fully relying on third-party ad networks.

"Wow, talk about absolving yourself of the blame," Chris wrote. "A site that attracts millions of visitors a day should no doubt be screening its own ads."

Seven Scale's Davis said that placing less trust in third-party content might be the answer to avoiding this problem in the future.

“For content publishers, I recommend only letting advertisers provide banner ad images and text ads, not IFRAME URLs,” Davis said. “Allowing third-parties to run JavaScript within one's site is a much higher level of trust.”

Other news outlets previously have fallen victim to similar attacks, including the website of The Daily Mail newspaper, which served up malicious ads for rogue anti-virus in December 2008, Cluley said.

Newsweek also has been hit with malicious banner ads.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.