iTnews
  • Home
  • News
  • Technology
  • Security

New York Times serves up rogue ads to readers

By Angela Moscaritolo on Sep 15, 2009 11:58AM

An "unauthorised advertisement" made its way onto the Gray Lady's third-party managed ad stream.

Readers of the The New York Times website might have found themselves facing rogue anti-virus advertisements that made their way onto the newspaper's site over the weekend.

The malware, which affected only some readers of NYTimes.com, was the result of an “unauthorised advertisement” that made its way onto the newspaper's ad stream, the paper said in a statement on its website Sunday.

Attackers were able to inject malicious JavaScript code into a Times advertisement, thereby serving up the malware to readers, Troy Davis, CEO of cloud web services vendor Seven Scale, wrote in an analysis of the malware Sunday.

“This isn't particular to NYTimes.com, and the method of injection is common enough that it could have happened on dozens of large websites,” Davis told SCMagazineUS.com in an email on Monday.

Readers who encountered the malware saw a Windows-like popup that falsely warned them that their computer was infected, Graham Cluley, senior technology consultant at security vendor Sophos, told SCMagazineUS.com in an email Monday.

In typical rogue anti-virus fashion, the malware caused the user's browser to open a screen that appeared to be a Windows “system scan,” during which progress bars and a list of malware that was supposedly being found were displayed.

“The Times believes it has eliminated these ads,” technology writer Riva Richmond said in a Times' Gadgetwise blog post on Monday.

Cluley said the poisoned advertisements no longer are being served to readers.

According to reports, the Times uses a third-party advertising network vendor to manage the delivery of advertisements on its site. A spokesperson for the newspaper could not be reached Monday for comment.

Cluley said that he thinks the Times' advertising vendor is to blame for the incident.

“I think it's fair for them [the paper] to expect that the third-party network will be taking the appropriate steps to ensure that the content they are delivering is not polluted -- just as you would not expect water from your water company to be contaminated," he said.

One Times reader named "Chris," in a comment to Richmond's blog post, questioned fully relying on third-party ad networks.

"Wow, talk about absolving yourself of the blame," Chris wrote. "A site that attracts millions of visitors a day should no doubt be screening its own ads."

Seven Scale's Davis said that placing less trust in third-party content might be the answer to avoiding this problem in the future.

“For content publishers, I recommend only letting advertisers provide banner ad images and text ads, not IFRAME URLs,” Davis said. “Allowing third-parties to run JavaScript within one's site is a much higher level of trust.”

Other news outlets previously have fallen victim to similar attacks, including the website of The Daily Mail newspaper, which served up malicious advertisements for rogue anti-virus in December 2008, Cluley said.

Newsweek also has been hit with malicious banner ads.


See original article on scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
adadvertmalwarenewsecuritytimesyork

Partner Content

How to turn digital complexity into competitive advantage
Promoted Content How to turn digital complexity into competitive advantage
"We're seeing some good policy put in place, but that's the exception"
Partner Content "We're seeing some good policy put in place, but that's the exception"
The Great Resignation has intensified insider security threats
Promoted Content The Great Resignation has intensified insider security threats
Security: Understanding the fundamentals of governance, risk & compliance
Promoted Content Security: Understanding the fundamentals of governance, risk & compliance

Sponsored Whitepapers

Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership

Events

  • CRN Channel Meets: CyberSecurity Live Event
  • IoT Insights: Secure By Design for manufacturing
  • Cyber Security for Government Summit
By Angela Moscaritolo
Sep 15 2009
11:58AM
0 Comments

Related Articles

  • Global police operation takes down Flubot infrastructure
  • VMware, F5, Log4j added to EnemyBot attack targets
  • Google adds phishing protection to Workspace apps
  • Active Directory defaults lead to no-fix PrivEsc vulnerability
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Qantas calls time on IBM, Fujitsu in tech modernisation

Qantas calls time on IBM, Fujitsu in tech modernisation

Service NSW hits digital services goal two years early

Service NSW hits digital services goal two years early

SA Police ignores Adelaide council plea for facial recognition ban on CCTV

SA Police ignores Adelaide council plea for facial recognition ban on CCTV

NBN Co says TPG tie-up could help Telstra sidestep spectrum limits

NBN Co says TPG tie-up could help Telstra sidestep spectrum limits

Digital Nation

The security threat of quantum computing
The security threat of quantum computing
Crypto experts optimistic about future of Bitcoin: Block
Crypto experts optimistic about future of Bitcoin: Block
Integrity, ethics and board decisions in the digital age
Integrity, ethics and board decisions in the digital age
IBM global chief data officer on the rise of the number crunchers
IBM global chief data officer on the rise of the number crunchers
COVER STORY: Operationalising net zero through the power of IoT
COVER STORY: Operationalising net zero through the power of IoT
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.