All Things Digital

Skip to main content.

SEARCH
MediaMemo

MediaMemo by Peter Kafka

The MediaMemo FeedFollow Peter on Twitter

The New York Times Explains How It Got Hacked: It Sold an Ad to a Hacker

by Peter Kafka
Posted on September 14, 2009 at 3:34 PM PT

Print Post to Twitter

the-sting-soundtrackHow did the New York Times end up serving a fake–and potentially dangerous–ad from its NYTimes.com site over the weekend? It got paid to do it.

That’s the unsettling story that comes out of the Times’s explanation of the incident, in which an untold number of the sites’ visitors were served up with an ad promoting malware.

The attack, which the Times says was also directed at other, unnamed news organizations, is worrisome enough. But the fact that the culprits behind it essentially walked right into the front door of the New York Times (NYT) and conned the paper into distributing the fraudulent ads is really scary.

The short version: The Times says that someone who “masqueraded as a national advertiser” bought ad space on the site, which is visited by some 45 million people a month from the U.S. alone. The unnamed buyer “provided seemingly legitimate product advertising for a week.”

UPDATE: The Times says the fake ads were for Internet phone service Vonage.

Then, over the weekend, the culprits started churning out the malware. The Times has issued a statement explaining some of what happened, which I’m reprinting at the bottom of this post (the paper also has a consumer guide to help you protect yourself from malware, viruses and other Web unpleasantness).

But the statement is a bit confusing and seems to indicate that the paper was compromised by an ad network it used to sell remnant space on the site. That’s what I thought might have happened at first, and that’s what the paper’s tech staff thought as well–note the reference to “suspending all third-party advertisements on the site.”

But I double-checked with Times spokeswoman Diane McNulty, who confirmed that that paper’s own staff had sold the fake ad.

How could this happen? I don’t know–anyone with Web buying experience want to weigh in? But I do know that it’s not the first time bogus ad buyers have bought space directly from publishers.

Earlier this year, I wrote about an incident in which someone pretended to buy ads on behalf of Hyundai. And that story elicited a response from an ad exec at a very big, very well-known Web publisher, who told me that in 2008, his employer had received a large order on behalf of a different auto company, and ran some of the ads before figuring out they were fakes.

Here’s the Times’s explanation:

As you know, over the weekend, nytimes.com was the victim of a malware attack that targeted several news organizations. The culprit masqueraded as a national advertiser and provided seemingly legitimate product advertising for a week. Over the weekend, the ad being served up was switched so that an intrusive message, claiming to be a virus warning from the reader’s computer, appeared.

As soon as we were made aware of the situation, we took aggressive steps, suspending all third-party advertisements on the site. We posted information about the attack on our home page and directed readers on what to do if they encountered the malicious code. There is additional information posted today on our homepage and our Gadgetwise personal technology blog.

We now know how it occurred and have taken steps to prevent a similar situation from happening.

Print Post to Twitter Comments Tagged: Internet, MediaMemo, Peter Kafka, advertising, blogs, digital, media, , , , , , , , , , , , , , , , , , , , , , , , , , , , | permalink
We’ve launched a new commenting tool, Disqus. For the full story on all of its functionality, click here. To begin commenting right away, you can log in below using Facebook Connect or Disqus—you can also log in using an existing AllThingsD account. Learn more about how Disqus collects and uses information in connection with the comments tool.
  • The thing about it - when I got the malware, my first thought was that things must be really bad for them to sell ad space and redirect.

    Turns out to be true, which is even sadder.
  • Mitch Stone
    This story continues to be incomplete. The malware was being hosted by another server, which was hacked. The Times was running an ad which forwarded users to the hacked server.
  • Obviously someone with a very convincing baseball cap that said "National Advertiser" walking in and completely bowled them over with slick-talk a-la Jason Blair!

    What's a poor publishing empire to do these days?!

    PS: While on the subject of incompetence, whoever took the photos of the recent rally in DC for the Times should be FIRED!
  • This is exactly why I only allow image ads on my website. Posting JavaScript/Flash advertisements willy nilly is just asking for trouble.
  • Who cares about this bogus advert?
    It was obviously fake.
    It obviously did not pertain to Mac and Linux machines.
    Who cares?
  • In the early days, most Internet advertisers sent the actual creatives to the publisher, who served these ads through the publisher's ad server. These days, most publishers allow legitimate advertisers to provide re-direct tags, so that the publisher, instead of serving the actual advertisement, instead indirectly calls the advertisers ad server to send the ad. So a malicious advertiser can win the confidence of a publisher by serving legitimate ads, and then, on a weekend, when the publisher may not be vigilant, the advertiser switches in the malicious creative. This scam is at least 6 years old; it shows how desperate the NYT is for ad dollars that it would expose itself to it now.
  • Mitch Stone
    I'm still waiting for an explanation for how any web site running ads can protect itself 100% against these scammers. Do they investigate every advertiser, and do they do it every day the ad runs? Is anyone actually doing this, and if so, who?

    I ran into this same hack in a Google search, and I'm quite sure I'm not the only one. I don't remember any articles drubbing Google for allowing their search engine to be compromised, let alone an apology from Google.

    Face it, the Times is an easy target for criticism -- none of which gets us anywhere, if only because I've yet to see any effort to explain the underlying exploit, how it was implemented, or what kind of damage it might have done. So there's still a few things missing in this story -- like everything of real importance.
  • Peter Kafka
    Mitch's point is a good one, ad tech experts: Is it possible for Web publishers -- of any size -- to really vet each and every sale? Same question for ad networks, while we're at it.
  • daviddaviddaviddavid
    Except that Google ads are all text. Yes, some of their ads will take you to malicious websites, but the ads themselves are benign. It sounds like the NYT ad was not. Presumably it had some nasty javascript to redirect you (without user interaction) to one of these malicious websites.
  • Stacy Smith
    Unless the publishers adserver is able to shut down a campaign when creative is switched out on the advertisers side, I don't see how this can be avoided 100%. Even then, if the publishers adserving tag remains the same how would the publisher know a new creative version was uploaded...this is a solution that the major 3rd Party Adservers out there need to work on (Atlas, DoubleClick - Dart, MediaPlex).
  • elias manousos
    My organization ( http://riskiq.com ) offers a service for discovery of malware and other policy violations in paid advertisements.

    The problem has been getting worse as the popularity of ad exchanges grow.

    Part of the issue is the bad guys are smart enough to cloak the malware ads from the network's detection systems. Many of these attacks are zero hour so they can work around AV. The majority are social hacks.

    Unfortunately for publishers it is very difficult to spot without a 3rd party with a broader view of the ad network/advertisers.

    We log all the attacks we detect and this problem is not limited to flash. Also in most cases it doesn't infect users, typically they launch monetization techniques (stuffing, forced click) or silent hacks like XSS account takeovers, etc.

    For our publisher customers we can minimize the impact of malware on their ad networks through early warning and blocking. It is a tough problem.
blog comments powered by Disqus

Latest MediaMemo Posts

MediaMemo Archives »

Latest MediaMemo Videos

More Videos »

View All Jobs | Post a Job Job Listings

A sponsored service from SimplyHired

MediaMemo Posts by Date

MediaMemo Posts by Category

MediaMemo Posts by Tag

ABC ad Amazon AOL AT&T cable CBS Comcast comScore Conde Nast content deal Disney earnings Fox GE Hulu investors iPhone iTunes Kindle layoffs magazine MySpace NBC News Corp. newspapers New York Times online Publishers publishing revenue sales Sony Time Inc. Time Warner TV U.S. Universal Music Group Viacom Wall Street Journal Warner Music Group Web Web site YouTube

More MediaMemo Tags »

About Peter

Peter Kafka has been covering media and technology since 1997, when he joined the staff of Forbes magazine. Most recently, he has been the managing editor of the tech and media Web site, Silicon Alley Insider. Read more »

Send an Anonymous Tip »

Ethics Statement

Here is a statement of my ethics and coverage policies. It is more than most of you want to know, but, in the age of suspicion of the media, I am laying it all out.

Read more »