NYTimes.com readers got a little bit more news than they bargained for this weekend when it turned out the site was serving up malicious advertisements to some of its visitors.
According to a posting on the Website, some readers saw a pop-up messaging warning them that their computer had been infected and telling them to install what was in fact fake anti-virus software. The NYT also posted this message on their Twitter feed to warn users:
“Attn: NYTimes.com Readers: Do not click pop-up box warning about a virus – it’s an unauthorized ad we are working to eliminate.”
The prospect of using malicious ads to infect visitors of legitimate sites is nothing new; in fact eWEEK itself fell victim to it not long ago. The situation begs the question of who is responsible for protecting Web surfers from this type of the attack. The New York Times surely has a duty to inform readers of such an attack, but it may be too much to ask an organization the size of the Times to inspect every advertisement in advance. After all – as Sophos Senior Technology Consultant Graham Cluley pointed out – “they’re just plugging a small piece of JavaScript onto their Website that collects the next advert from their provider’s database.”
But that doesn’t mean the site owners have no role to play.
“It is the advertising network that should be screening adverts to hunt for malicious content, higher up the stream,” opined Cluley. “And it is the responsibility of the webmasters at the media organisations not to do business with ad suppliers who can’t manage this problem properly.”
No matter how it’s distributed, rogue AV scams are not going away. They have in fact been a staple of the Web for years, and their continued prevalence and profitability can be seen here in these reports from Microsoft and Finjan.
In this case, the popup gave the user the usual warning that their computer was infected and offered free system cleanup. All you had to do is click on this ad. Of course, the ad took victims to a malicious site being hosted by a German provider, Hetzner AG. A detailed analysis of the code can be found here.