OVER the weekend, some visitors to the Web site of The New York Times received a nasty surprise. An unknown person or group sneaked a rogue advertisement onto the site’s pages.
The malicious ad took over the browsers of many people visiting the site, as their screens filled with an image that seemed to show a scan for computer viruses. The visitors were then told that they needed to buy antivirus software to fix a problem, but the software was more snake oil than a useful program.
Exploiting weaknesses in online ad systems is an increasingly common approach for computer criminals around the globe who hope to make a quick buck from the audiences of the sites they attack. Experts say the problem is likely to get worse as companies scramble to satiate a click-happy online culture. “The development of multimedia ads, mini-applications and social networking tools is far outpacing the speed of the thinking process about the security that goes into those applications,” said Joe Stewart, a director of malware research at SecureWorks, a security services company.
Web sites like FoxNews.com have been victims of such attacks in the past. And there were anecdotal reports in recent days of similar ads popping up on a range of sites.
Kelly Harville, a spokeswoman for The San Francisco Chronicle, said the newspaper was looking into a problem on its site. “We did get hit with something over the weekend,” she said. “We’re still looking into it.”
While Web site owners usually review the ads they run for quality control and security reasons, many online ads are sold and distributed through middlemen known as ad networks. As a result, ads can appear on a site that its operators have not directly approved, and they may be pulled into its pages from computer servers that it does not control.
About half of the ads delivered to The Times’s Web site come from ad networks. As reports of strange activity came in over the weekend, the technical and advertising staff at The Times began to suspect that a rogue ad had slipped through this way, and they moved to stop displaying such ads, said Diane McNulty, a spokeswoman for the Times Company.
But it now appears that the ad was approved by the site’s advertising operations team, Ms. McNulty said. People visiting nytimes.com continued to complain about the pop-up ads throughout the weekend. “Our first instinct was that it was a third-party ad network,” said Marc Frons, chief technology officer of the Times Company. “That is where we looked first and why it took a longer amount of time to shut down. The other issue is that it was sporadic and difficult to reproduce.”
The creator of the malicious ads posed as Vonage, the Internet telephone company, and persuaded NYTimes.com to run ads that initially appeared as real ads for Vonage. At some point, possibly late Friday, the campaign switched to displaying the virus warnings.
Because The Times thought the campaign came straight from Vonage , which has advertised on the site before, it allowed the advertiser to use an outside vendor that it had not vetted to actually deliver the ads, Ms. McNulty said. That allowed the switch to take place. “In the future, we will not allow any advertiser to use unfamiliar third-party vendors,” she said.
Mr. Frons said it was unclear how many people saw the ads.
Security experts say that people who followed the ads’ instructions and installed the fake antivirus software will likely receive periodic offers to buy more types of software. (Most legitimate antivirus programs are able to clean up the mess left behind.) “Once they’ve fooled you with one thing, they try and fool you with something else,” said Kevin Haley, a director in the security software maker Symantec’s response team. “It’s extremely profitable for them.”
According to security experts, groups that are often based in Russia and Ukraine create the fake antivirus software and then recruit people to help distribute it by giving them a cut of any money made by selling the software. These so-called affiliates can mimic the advertisements of legitimate companies, learn their techniques for submitting ads to networks and sites, meddle with ad servers and then go so far as to provide customer support for people who install the software, keeping the scam running as long as possible.
The malicious ads and software can damage a Web site’s reputation and make its visitors nervous. The Register, a British technology news site, was hit in 2004. “We took down all of our ads for several days, even when we were told the problem had been fixed,” said Drew Cullen, an editor for the Web site. “We wanted to make absolutely certain that everything was fine, so that our readers would have faith in us.”
When a Web site with millions of readers is tricked into running such ads, it can generate a flood of software sales for the criminals, but it can also draw more attention than they had hoped for, Mr. Stewart said. “Still, there’s probably not a big downside for them,” he said. “They will make plenty of money.”
The Times posted a note about the ad problem on its Web site Sunday. Ms. McNulty said it was considering working with law enforcement in a bid to track down the people who submitted the deceptive ad, while also creating new policies to prevent such mistakes.