The New York Times Company has scrambled to address a security threat that emerged over the weekend in the form of a malicious ad on the newspaper’s Web site.
The ad appeared as a pop-up box containing a security warning, advising users that their machines were infected and directing them to a Web site purporting to offer antivirus software, but that actually contained a Trojan.
In its explanation of the incident, the company said its own sales staff had sold the ad, which “masqueraded as a national advertiser.”
The advertiser the culprits impersonated was later revealed as Internet phone provider Vonage.
The ad displayed legitimate messages for about a week, but then switched near the beginning of the weekend to display the phishing pop-up.
The Times Company said that the ad had been sold by its own staff, rather than a third-party advertising network, as it had originally suspected.
Vonage has advertised on the Times’ Web site in the past. Because of that relationship, the advertising staff at the Times Company mistakenly approved the ads from an unfamiliar outside vendor that claimed to be submitting them on behalf of Vonage. The Times Company is discontinuing that practice, and will only approve ads from companies it has vetted.
On Sunday, the Times posted a notice about the threat, warning visitors that the pop-up box was a rogue ad and advising them to quit and restart their browsers if it appeared.
Then yesterday, the Times published a detailed post explaining the incident on its Gadgetwise blog. The Times’ Riva Richmond wrote that users who only viewed the ad — but did not click on it — should be safe, but suggested that they clear their browser cache to remove any lingering malware.
“If you did click to ‘scan’ your machine for problems, the program will tell you that it supposedly detected 38 threats. Not true,” Richmond wrote. “What it actually did was install a so-called Trojan horse that’s a classic example of rogue antivirus software, also known as ‘scareware,’ a growing menace on the Internet.”
Security experts say that these sorts of attacks, sometimes known as “malvertisements,” are an increasingly common method of propagating an attack.
“This attack provides a perfect demonstration of how being able to inject malicious content into ad content is a powerful way of hitting a large audience,” Sophos Labs security analyst Fraser Howard wrote in a blog post.
Sophos inspected the Times’ ad script yesterday afternoon and found that the malware content had been removed, Howard said.
The Times noted that “anecdotal reports” have surfaced detailing similar threats across a variety of sites, including the San Francisco Chronicle.
Earlier this year, the tech-news site eWeek was hit with a malvertising attack, though it originated from an ad sold through the network DoubleClick, rather than the Times incident, where the ad was sold directly by the company’s staff.
Update clarifies the process by which the ads were delivered and approved.