New York Times serves up malware ads with news
The Web’s most popular newspaper website got a little too close to the news this weekend, inadvertently serving some of its visitors a pop-up ad that masqueraded as a virus checker and urged users to download virus-like antivirus software.
The Times said on its website that the source of the bogus ads appeared to be an advertiser that had served legitimate ads for a week, but then switched to the illicit ones over the weekend.
The site posted instructions for visitors who may have been affected by the ad, urging them to install (legitimate) antivirus software, and noted that even users who didn’t click the pop-up could have been affected.
“Click or not, the user could still get infected,” Neil Daswani, a founder of Web security firm Dasient, told the Times.
In a statement, Times spokesperson Diane McNulty said that the paper “suspended advertising that is inserted automatically into its pages by outside ad-placement companies” in response to the security lapse.
Security experts were quick to point out that the breach likely wasn’t the Times’ fault. “It is the advertising network that should be screening adverts to hunt for malicious content, higher up the stream,” Graham Cluley, a Senior Technology with Sophos, told eWeek.
Still, users were upset: “Thanks for telling us how to fix our computers that your site infected,” NYTimes commenter “mrscotchy” wrote. “Can you tell us more about what the NYTimes is doing to prevent this from happening in the future and how these malicious ads came to appear on your site?”
Sure, the Times may have been targeted because of its size and high traffic numbers, but the question remains – if the New York Times is susceptible to an attack like this, what about the rest of us?