A security breach forced The New York Times on Monday to suspend online ads that are served directly from an advertiser’s website.
The move comes after a security loophole allowed scammers over the weekend to swap an innocuous advertisement for one serving a fake virus-warning, and hawking a deceptive scareware product intended to sell bogus security software.
“The ad was submitted directly to our Digital Advertising Operations team,†said Diane McNulty, a spokeswoman for the organization, in an e-mail.
“The culprit masqueraded as a national advertiser and provided seemingly legitimate product advertising for a week,†McNulty wrote. “Over the weekend, the ad being served up was switched so that an intrusive message, claiming to be a virus warning from the reader’s computer, appeared.â€
Readers who clicked on the ad found their browsers hijacked while a fake virus-scan was displayed. If they allowed the malicous website to serve its executable payload, they’d be stuck with a fake scareware program that badgers them into buying supposed anti-virus software.
Eastern European cybercrooks have been running an identical scam all month using search engine optimization techniques to promote their scammy websites to the top of Google search results on popular queries. In this case, they were apparently able to reach the Times‘ audience because the paper was allowing advertisers to host ads from the advertisers’ own servers, making it possible for the scammers to substitute in anything they wanted to display on the newspaper’s website.
Trend Micro said the ad was being hosted by Hetzner AG, a German provider it claimed “has a colorful track record when it comes to spewing dodgy content, having hosted literally hundreds of malicious URLs.â€
The Times declined to identify the “national advertiser†the scammers originally impersonated.
