New York Times explains how malware got on its site
The New York Times says it has confirmed its initial suspicion that a bogus advertiser put site visitors at risk of malware. Embarrassingly, it appears the “advertiser” dealt directly with the newspaper rather than going through an ad sales network.
As we reported yesterday, the newspaper’s site was hit by a piece of malicious software; the Times’ initial suspicion that this was delivered by an advertisement has proven correct.
At first the Times believed the rogue software had come from an ad sold via an external network; half of the site’s ads are sold this way. But the newspaper has confirmed that the virus came from an ad buyer who passed themselves off as Internet telephone company Vonage and bought directly from Times staff. (The Times has also acknowledged that the time spent investigating the external network theory meant it took longer to get rid of the bogus ad.)
As Vonage has legitimately advertised on the site before, the newspaper allowed the people posing as Vonage staff to deliver the ads through a third-party which had not been vetted. It appears the ads were initially harmless but were switched by the hackers during a campaign.
For the moment, the Times has suspended all advertising which is physically placed on the site by third-parties. In future it will only allow approved companies to deliver the ads, regardless of whether they are sold directly or through an agency.
The good news is that the malware has been identified as Mal/FakeAvJs-A and appears to be an irritant rather than a serious security threat. It’s not believed to have the ability to transmit any personal data from an infected machine or to seriously damage a computer’s operation.
Instead it’s designed to fool users into believing their computer is infected with viruses and then offer them the chance to buy a removal program named “Personal Antivirus”. Unfortunately the only thing that will remove is $59.99 from your card account.
Related Posts:
