Home Delivery: The New York Times Serves Up Some Malware
by Peter Kafka
Posted on September 13, 2009 at 12:57 PM PT
Here’s a front-page story the New York Times (NYT) would rather not be running: The paper is warning readers to be aware of bogus ads running on its Web site.
The paper says “some readers” have seen unauthorized pop-up ads promoting antivirus software on NYTimes.com, and warns visitors who see the ad not to click on it but to restart their browsers instead. While the Times doesn’t spell this out, the newspaper has likely had its site hijacked by a “malware” scammer who is trying to trick visitors into installing pernicious software onto their hard drives.
MediaMemo reader Tim Minter passed along an image of the pop-up below (click to enlarge). Here’s his description of the way it appeared on his desktop:
The ad hijack[ed] my computer. Say I’m reading an article (the Clean Water Act was the one that caught me). It then redirects my browser involuntarily to sex-and-the-city.cn. That site then redirects to the ad I screen-captured.
At no time did I click anything. That’s what is so nefarious about this malware.
Thankfully, since I run OS X, I knew immediately it was malware (seeing WindowsXP on a Mac where that’s not installed is suspicious).
You generally have to travel farther down the Internet publishing food chain to find this kind of bogus ad–go hunting for porn and/or illegal downloads, for instance, and you’ll find plenty of this stuff.
But Web advertising is still a wild and woolly place, and this type of thing still plagues high-end publishers too. Sometimes it’s the fault of ad networks the publishers use to move their unsold inventory; sometimes the bogus ads are bought directly from the publishers themselves.
I’ve asked both the Times PR staff and ad tech team for additional information about the ads, but haven’t heard back yet. Still, you have to give the paper credit for flagging this on its front page at all.
UPDATE: The Times’ explanation: A hacker duped the paper by buying the ad directly from the paper’s sales staff, then disguising it as a legit ad for a week.
Comments
I encountered this one months ago — not on the NY Times web site, but as the result of a Google search. Clicking the Google link directed me to a server apparently owned by an innocent company in New Jersey, which seemed to have had its server hacked to host this page. It’s not clear whether the page itself is dangerous (I’m on a Mac so I wasn’t vulnerable), or whether it’s simply a spoof that beckons the user to click on something which is.
The comments in the article suggest that it’s currently being hosted on the sex-and-the-city.cn server, so that’s where the attention should be placed, not the NY Times. Users should also know that if a browser redirect is a “computer hijack” then our computers are being hijacked every day.
Posted by Mitch Stone at September 13th, 2009 at 2:58 pmThis malware came on my screen (MacBook OSX) when reading an opinion and writing a comment. Just as I sent it the offer for security software came on..
Posted by Jan Orlin at September 13th, 2009 at 3:50 pmI didn’t open it but it did freak me out a bit because the town and state I live in and what appeared to me my correct ID code were on this webpage that was obviously written for a PC. But half of my computer is Intel PC; maybe it was infected? And I could not get my browser to close at all. I did a Force Close and still had to fool around to get the browser then the whole thing to shut down.
During that time I kept wondering if the malware was inside reading/copying my info and creating a trojan. I still do not know that.
It is not moving slowly today and I am assuming all is well. I had just updated the Security software the day before. Also, I have read a few things on the NYTimes site today with no problem.
Funny how all the comments are from non-Windows users.
I wonder if 80 something percent of computer users are now scratching their head wondering why their mouse pointer is stuck.
It does not bode well for newspapers (and big media in general) to have to turn over advertising to third parties. Not only can this sort of thing happen, but the more servers that have to get involved in loading a single web page the more chances there are for the page to load slowly, or stall completely. People wonder why “the Internet keeps getting slower” and this is a large part of the answer.
I’ve gotten aggressive about blocking ads, not because I don’t want to see ads, but because I’m sick and tired of the delays they introduce as well as the risk.
Publishers: get your act together!
Posted by Mac Beach at September 13th, 2009 at 5:16 pmThank you for posting this article. I noticed this as well on Saturday. I have a PC and I use Google Chrome as my web browser with the New York Times’ Media & Advertising page as one of my homepage tabs. It kept automatically running that “ad” in a new tab and would lock the browser. Considering I never really download anything, I was puzzled.
Mystery solved! Many thanks!
BTW, I grabbed, Malwarebytes’ Anti-Malware, from Download.com and it found it (and removed it).
Posted by Mitch Joel at September 13th, 2009 at 5:38 pmit got me this morning. fortunately, i knew what it was and no harm was done. i did find it odd that it was on the NYT’s site though
Posted by erik rodsju at September 13th, 2009 at 6:13 pmI saw this too, on Safari on a mac. I was pretty surprised this would happen from the New York Times. Going to Snow Leopard killed my ad block extension on Safari.
Posted by Bjorn Tipling at September 13th, 2009 at 6:35 pmHow come I never see these wonderful adverts?
Posted by Dave Barnes at September 13th, 2009 at 7:05 pmI even surf to porn sites.
And, every time I read an article about this type of event, when I go there I see nothing.
I too ran into this – it was incredibly tenacious. I had to force quit my browser to get away from it. Fortunately this was Safari, running on Mac OS X. Even so, I ran a complete virus scan afterward.
The malware poses as a page for scanning your computer for viruses and wants you to click to download a “necessary component” for the scan.
VERY dangerous.
Posted by Daniel Kinoy at September 13th, 2009 at 9:50 pmHuffPo got me with this! They posted a story on their website with a link at the bottom. I thought that the link was going to take me to another page on HuffPo and instead it took me to the NY Times. Thanks a lot HuffPo! Anyway…
I was on my iPhone and it put up a pop up window asking me if I wanted to proceed or cancel. I pushed cancel but that didn’t help it took me to a screen with some sort of countdown, but I didn’t keep Safari open long enough to really see what was happening. My iPhone seems fine though. Working as usual.
Um… HuffPo – when you’re telling people about a virus, DON’T LINK TO IT! Jeesh.
Posted by Zoe Wiseman at September 13th, 2009 at 11:21 pmOH! and I didn’t click on an ad. I clicked through from the HuffPo APP on my iPhone – the link took me to the NY Times website but at no time did I click on an advertisement (never do) it just automatically took over and started the weird count down.
Posted by Zoe Wiseman at September 13th, 2009 at 11:29 pmWell again, I don’t think the Times deserves any blame here, if only because I encountered this spoof months ago in a Google search. Whatever the hackers are doing, this scheme is versatile in the way it is introduced. The server that needs to be examined is sex-and-the-city.cn, as it is the one hosting the malware, probably because it was compromised.
Posted by Mitch Stone at September 14th, 2009 at 8:22 am