NYTimes Scareware Attack Shows Weakness of Ad Networks

Media sites, including the New York Times, have become the latest targets of attackers who make their living by poisoning online ads and redirecting unsuspecting visitors to malicious Web pages or trying to trick them into downloading malware.

Media sites, including the New York Times, have become the latest targets of attackers who make their living by poisoning online ads and redirecting unsuspecting visitors to malicious Web pages or trying to trick them into downloading malware.

Over the weekend attackers were able to buy ads on the New York Times main site and use the ads in a scareware scheme designed to plant malware on users’ PCs. The scheme, which involved users seeing a pop-up window warning them that their machines were infected with malware and they needed to download an antivirus application to remedy the problem, is the latest indicator of just how sophisticated the hackers perpetrating these attacks have become.

In the New York Times scareware incident, the hackers bought ad space on the Times site, used it to display legitimate ads for a couple of days and then replaced the ads with the scareware scam. The incident is a major embarrassment for the Times, which addressed the attack in a story on Tuesday.

About half of the ads delivered to The Times’s Web site come from ad networks. As reports of strange activity came in over the weekend, the technical and advertising staff at The Times began to suspect that a rogue ad had slipped through this way, and they moved to stop displaying such ads, said Diane McNulty, a spokeswoman for the Times Company.

But it now appears that the ad was approved by the site’s advertising operations team, Ms. McNulty said. People visiting nytimes.com continued to complain about the pop-up ads throughout the weekend.

The Times is not alone in being targeted by this scam. Several other media sites, including Fox News and the San Francisco Chronicle, have fallen prey to similar attacks. Many online ads are sold through third-party vendors and delivered by ad-syndication networks, a setup that makes it difficult for site owners to know exactly who is behind a specific ad buy. However, executives at The New York Times admitted that they did not even go through the normal verification process for this particular ad purchase.

Because The Times thought the campaign came straight from Vonage, which has advertised on the site before, it allowed the advertiser to use an outside vendor that it had not vetted to actually deliver the ads, Ms. McNulty said. That allowed the switch to take place. “In the future, we will not allow any advertiser to use unfamiliar third-party vendors,” she said.

While the process at The New York Times broke down in this case, attackers have shown that even with better vetting processes, they can still get the job done. The Byzantine networks of ad syndicators, third-party ad buying services and other players in this business make it ripe for abuse.

Suggested articles

Threatpost News Wrap, January 20, 2017

Mike Mimoso, Tom Spring, and Chris Brook discuss security-wise what they hope will and won’t change under a Trump presidency, then discuss the news of the week, including SHA-1 deprecation, Carbanak’s return, and the WhatsApp “backdoor” debacle.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.