Comments on: The New York Times Explains How It Got Hacked: It Sold an Ad to a Hacker

By: Protect your PC with AVG Free « A Motherhood Experience

Protect your PC with AVG Free « A Motherhood Experience — Thu, 24 Jun 2010 01:14:26 +0000

[...] site knowing it’s there. Once the user visits the site, the virus attacks. If it can happen to nytimes.com, it can happen [...]

By: daviddaviddaviddavid

daviddaviddaviddavid — Sat, 16 Jan 2010 07:36:09 +0000

Except that Google ads are all text. Yes, some of their ads will take you to malicious websites, but the ads themselves are benign. It sounds like the NYT ad was not. Presumably it had some nasty javascript to redirect you (without user interaction) to one of these malicious websites.

By: Ad Giant Publicis Tells Publishers to Throw Bodies at the Fake Web Ads Problem | Peter Kafka | MediaMemo | AllThingsD

Tue, 13 Oct 2009 12:13:35 +0000

[...] month, the New York Times (NYT) was attacked by hackers who bought fake Web ads from the publisher. And one of the world’s biggest ad companies says that won’t be the last [...]

By: Weekend Update 9.19.09–The Real World, Silicon Valley Edition [Digital Daily] | UpOff.com

Sun, 20 Sep 2009 22:14:40 +0000

[...] Valley malevolence even spread to Gotham early in the week. MediaMemo got the backstory on how the New York Times was hacked into spreading malware to its Web visitors. The explanation: It sold an ad to hackers, who posed as [...]

By: FateMaster Tech News » Weekend Update 9.19.09- The Real World—Silicon Valley Edition. [Digital Daily]

Sun, 20 Sep 2009 19:03:26 +0000

[...] malevolence even spread to Gotham early in the week. Media Memo got the back story on how the New York Times was hacked into spreading malware to its web visitors. The explanation: They sold an ad to hackers, who posed [...]

By: Weekend Update 9.19.09- The Real World—Silicon Valley Edition. [Digital Daily] | TECHNICK

Sat, 19 Sep 2009 21:15:21 +0000

By: Weekend Update 9.19.09- The Real World—Silicon Valley Edition. [Digital Daily] | UpOff.com

Sat, 19 Sep 2009 19:54:30 +0000

By: Weekend Update 9.19.09- The Real World—Silicon Valley Edition. | Beth Callaghan | Digital Daily | AllThingsD

Sat, 19 Sep 2009 19:21:24 +0000

By: Internet Strategy, Marketing & Technology Links – Sept 17, 2009 | Sazbean

Thu, 17 Sep 2009 12:22:42 +0000

[...] The New York Times Explains How It Got Hacked: It Sold an Ad to a Hacker [MediaMemo] (All Things Dig… [...]

By: Internet Strategy, Marketing & Technology Links – Sept 16, 2009 | Sazbean

Wed, 16 Sep 2009 12:49:32 +0000

[...] The New York Times Explains How It Got Hacked: It Sold an Ad to a Hacker [MediaMemo] (All Things Dig… [...]

By: elias manousos

elias manousos — Wed, 16 Sep 2009 02:06:59 +0000

My organization ( http://riskiq.com ) offers a service for discovery of malware and other policy violations in paid advertisements.

The problem has been getting worse as the popularity of ad exchanges grow.

Part of the issue is the bad guys are smart enough to cloak the malware ads from the network’s detection systems. Many of these attacks are zero hour so they can work around AV. The majority are social hacks.

Unfortunately for publishers it is very difficult to spot without a 3rd party with a broader view of the ad network/advertisers.

We log all the attacks we detect and this problem is not limited to flash. Also in most cases it doesn’t infect users, typically they launch monetization techniques (stuffing, forced click) or silent hacks like XSS account takeovers, etc.

For our publisher customers we can minimize the impact of malware on their ad networks through early warning and blocking. It is a tough problem.

By: Stacy Smith

Stacy Smith — Tue, 15 Sep 2009 20:38:00 +0000

Unless the publishers adserver is able to shut down a campaign when creative is switched out on the advertisers side, I don’t see how this can be avoided 100%. Even then, if the publishers adserving tag remains the same how would the publisher know a new creative version was uploaded…this is a solution that the major 3rd Party Adservers out there need to work on (Atlas, DoubleClick – Dart, MediaPlex).

By: Peter Kafka

Peter Kafka — Tue, 15 Sep 2009 20:11:50 +0000

Mitch’s point is a good one, ad tech experts: Is it possible for Web publishers — of any size — to really vet each and every sale? Same question for ad networks, while we’re at it.

By: Mitch Stone

Mitch Stone — Tue, 15 Sep 2009 16:21:20 +0000

I’m still waiting for an explanation for how any web site running ads can protect itself 100% against these scammers. Do they investigate every advertiser, and do they do it every day the ad runs? Is anyone actually doing this, and if so, who?

I ran into this same hack in a Google search, and I’m quite sure I’m not the only one. I don’t remember any articles drubbing Google for allowing their search engine to be compromised, let alone an apology from Google.

Face it, the Times is an easy target for criticism — none of which gets us anywhere, if only because I’ve yet to see any effort to explain the underlying exploit, how it was implemented, or what kind of damage it might have done. So there’s still a few things missing in this story — like everything of real importance.

By: mark moran

mark moran — Tue, 15 Sep 2009 14:56:27 +0000

In the early days, most Internet advertisers sent the actual creatives to the publisher, who served these ads through the publisher’s ad server. These days, most publishers allow legitimate advertisers to provide re-direct tags, so that the publisher, instead of serving the actual advertisement, instead indirectly calls the advertisers ad server to send the ad. So a malicious advertiser can win the confidence of a publisher by serving legitimate ads, and then, on a weekend, when the publisher may not be vigilant, the advertiser switches in the malicious creative. This scam is at least 6 years old; it shows how desperate the NYT is for ad dollars that it would expose itself to it now.