New York Times Hosts Rogue Ad in Security Breach

The New York Times was hit with a malicious “anti-virus” ad over the weekend in a very sophisticated attack that exploited a weakness in how the company receives advertising. This attack was a classic example of a current trend in cybercrime according to a new IBM report that found, “The presence of malicious content on trusted sites has increased, including popular search engines, blogs, bulletin boards, personal Web sites, online magazines and mainstream news sites.”

Unsuspecting New York Times users saw a very realistic   – yet malicious – ad claiming their computer had malware running.

The ad advised users remove the malware by running a full computer scan using a product called “Personal Antivirus” to find and remove the infections.

Users were then told to buy the antivirus program in order to stay safe.

The criminals behind this sophisticated attack exploited five vulnerabilities – one vulnerability on the part of the NYT, four vulnerabilities common to consumers:

  1. Fundamental security weaknesses in the advertising systems used by trusted websites
  2. Consumers’ fundamental trust in reputable companies and their websites – Any ad that appears on a trusted site by association gains a stamp of legitimacy in consumers’ eyes and they let their guard down.
  3. Consumers’ lack of technical savvy – For less experienced users, seeing a pop up that warning them their computer is infected makes them inclined them to panic. While panicked they grasp at the ‘remedy’ in front of them rather than question why the ad appeared, wonder why they have never heard of this anti-virus product, or conduct a bit of research to find a reputable antivirus product.
  4. Consumers’ failure to secure their computers – An alarmingly high percentage of consumers still do not have the necessary security software installed, or up-to-date, on their computers. These consumers are more likely to fall for this type of exploit because they know they are exposed. Consumers with appropriate security are more likely to turn to their existing (legitimate) tools to check for infections.
  5. Consumers faith in slick graphics – if it looks professional, it must be legit

While consumers cannot increase the security of trusted sites (the company’s responsibility; in this case the New York Times scrambled to remedy the issue), consumers can eliminate their own susceptibility towards this type of malicious social engineering by carefully evaluating who, and what, they trust.

Most consumers still follow the assumption that if I trust “A”, and “A” appears to vouch for “B”, then I can trust “B”, but there are far too many assumptions in this equation that threaten your safety and security.

Misplaced trust

  • No matter how trusted a friend or family member is, if that person is using a compromised computer, they may be unwitting distributors of malware.
  • Friends of friends – particularly those you or your friends have never met in person – may not deserve any trust, let alone trust in accepting links.
  • “Legitimate” companies may not deserve your trust. Neither the size of a company, nor its popularity is reason to give it unqualified trust. For example: Google accepts money to place malware in its sponsored links.  Facebook’s Terms & Conditions give them more rights to your content than they should be trusted with. Echometrix’s Sentry Parental Control Software sells kids conversations (they claim to anonymize the kids) to advertisers.
  • Websites of companies who would never dream of tarnishing their reputation by accepting malicious advertising can be hacked or exploited – as seen in this NYT example.
  • News feeds, unwittingly promote malicious links as criminals engineer search engine results. 
  • Phishing sites may look identical to a reputable site but by inadvertently mistyping the URL or by following a link that purports to be the legitimate site you may find yourself far off track.
  • Tweeters may place malicious links – and other’s may inadvertently re-tweet these on their posts. These can be particularly hard to identify as they frequently shorten the URL’s so you don’t know the real site being pointed to.

The art of Internet Self Defense

This type of exploit where criminals leverage the weaknesses in online advertising delivery systems to distribute malicious ads on legitimate sites is going to increase. You need to be able to defend against it, and a few simple preventative measures can go a long way.

  1. Make sure you have security software and it is up-to-date. This will usually block malware from downloading to your computer.
  2. Do not download files, particularly executable files (they have a .exe at the end of the file name), unless you have verified it is safe.
  3. Stay in control and steer yourself to websites, don’t be pulled by links that may or may not take you where you want to go. If the link looks interesting, go find it yourself using your search engine. That way the ad’s link can’t pull you onto a site riddled with malware or land you on a phishing site.
    1. Searching the web without using tools that identify malicious websites for you is asking for trouble – you simply will not be able to tell which sites are legitimate.
      You need to use a product that visibly identifies for you the potential for malicious code on search results. I happen to use McAfee’s Site Advisor tool on all my machines, but both Firefox and Internet Explorer have features you can use to alert you to malicious sites, and several other companies offer similar services.
  4. Keep a healthy level of skepticism and slow down. Knee-jerk reactions do not give you time to evaluate the authenticity of the ad, its promises or its links, nor do they let you check the facts. Don’t panic over warnings, jump to accept ‘offers’, believe someone wants to give you money, or respond to a plea for help.  If you take the time to think things through and check the facts, you are much more likely to avoid well-placed-but-malicious links, will be much less likely to give away your information, or fall for other exploits. Checking the facts is easy online, look on a site like for to see if they report the ad as fraudulent, enter the company name into a search engine and see if there are warnings about it.



Comments are closed.

%d bloggers like this: