Fake anti-virus attack hits New York Times website readers

Graham Cluley
Graham Cluley
@[email protected]

This weekend, readers of the New York Times website NYTimes.com were exposed to danger as the popular media outlet served up malicious adverts to some of its visitors.

According to a posting on the website some readers saw a pop-up messaging warning them that their computer had been infected, and urging them to install fake anti-virus software (also known as scareware):

New York Times warns of poisoned advert

Aside from a message on its website, The New York Times posted a message on their Twitter feed in an attempt to warn its readers:

Sign up to our free newsletter.
Security news, advice, and tips.

It has been reported that the New York Times published a warning on the front page of its website on Sunday (you can see a screenshot here), but by the time I had visited it was no longer apparent.

In the past other media outlets (such as the ITV and RadioTimes) have fallen foul of poisoned adverts serving up malware and fake anti-virus alerts.

As many media organisations leave the delivery and creation of web adverts to third-party networks they are effectively relying on other companies to deliver an unpolluted stream to their readers. Newspapers like The New York Times therefore still have a responsibility to warn their readers and clean-up their ads if a problem is discovered – but I think it’s asking too much and impractical to think they should examine every advert in advance. After all, they’re just plugging a small piece of JavaScript onto their website that collects the next advert from their provider’s database.

It is the advertising network that should be screening adverts to hunt for malicious content, higher up the stream. And it is the responsibility of the webmasters at the media organisations not to do business with ad suppliers who can’t manage this problem properly.

Of course, it is little consolation for the poor infected user to know who failed to check what they were delivering properly. As far as they are concerned, they visited NYTimes.com, were warned about a virus infection, and were tricked into installing scareware software that has now compromised their Windows PC.

Fake anti-virus

Fake anti-virus alerts have become one of the biggest revenue-generators for cybercriminals, and as a result we’re seeing more attacks all the time either planting malicious scareware on compromised websites, posing as legitimate security companies, or explotiing hot internet search topics.

Update: Fraser Howard from SophosLabs has blogged some additional information about this attack.

Further update: It has emerged that the hackers purchased advertising space directly from the New York Times, posing as internet telephone company Vonage.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.