This weekend, readers of the New York Times website NYTimes.com were exposed to danger as the popular media outlet served up malicious adverts to some of its visitors.
According to a posting on the website some readers saw a pop-up messaging warning them that their computer had been infected, and urging them to install fake anti-virus software (also known as scareware):
Aside from a message on its website, The New York Times posted a message on their Twitter feed in an attempt to warn its readers:
It has been reported that the New York Times published a warning on the front page of its website on Sunday (you can see a screenshot here), but by the time I had visited it was no longer apparent.
In the past other media outlets (such as the ITV and RadioTimes) have fallen foul of poisoned adverts serving up malware and fake anti-virus alerts.
As many media organisations leave the delivery and creation of web adverts to third-party networks they are effectively relying on other companies to deliver an unpolluted stream to their readers. Newspapers like The New York Times therefore still have a responsibility to warn their readers and clean-up their ads if a problem is discovered – but I think it’s asking too much and impractical to think they should examine every advert in advance. After all, they’re just plugging a small piece of JavaScript onto their website that collects the next advert from their provider’s database.
It is the advertising network that should be screening adverts to hunt for malicious content, higher up the stream. And it is the responsibility of the webmasters at the media organisations not to do business with ad suppliers who can’t manage this problem properly.
Of course, it is little consolation for the poor infected user to know who failed to check what they were delivering properly. As far as they are concerned, they visited NYTimes.com, were warned about a virus infection, and were tricked into installing scareware software that has now compromised their Windows PC.
Fake anti-virus alerts have become one of the biggest revenue-generators for cybercriminals, and as a result we’re seeing more attacks all the time either planting malicious scareware on compromised websites, posing as legitimate security companies, or explotiing hot internet search topics.
Update: Fraser Howard from SophosLabs has blogged some additional information about this attack.
Further update: It has emerged that the hackers purchased advertising space directly from the New York Times, posing as internet telephone company Vonage.