Sep 14 2009

Malware with your morning paper

I imagine there are a fair number of people out there who are like me and instead of a cup of coffee and the morning paper they take the same cup of coffee and open up their favorite news sites online to get the morning’s news.  So I imagine there were more than a few people who were surprised yesterday morning to get a little something extra when they opened the New York Times site yesterday and got a pop-up ad telling them that their computer was infected with several hundred viruses and that they needed to buy some wonderful new anti-virus product to secure themselves.

We don’t know exactly how the NYT site was compromised and this code implemented, but there is a good analysis of the malware at Inputs & Outputs.  The ad used a scare tactic but by itself it didn’t do much.  But this phishing scheme did point users to a small program that probably did some very interesting things to the end user’s computer if you believed you actually were infected.  If you’re a Firefox user with NoScript installed, you probably didn’t even notice that this fun piece of code had been added to the NYT site.  Score one more for blocking scripts by default.

Looking at the analysis of this compromise, it appears that the code wasn’t directly on a NYT server, rather it was served up by one of the third-party services that provide ads for the NYT.  Once again, it shows that even if you trust a particular site you’re visiting, the interaction between that site and the secondary systems supporting it offer a great attack vector for the bad guys to gain access through.  The New York Times probably has a great security team who’s up on the latest vulnerabilities and does an excellent job protecting their site, but if the other companies they rely on for additional code can’t protect their systems, even the best team at the NYT won’t be able to do a thing.  It’s something for anyone who relies on third-party code on their site to think about.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

4 responses so far

4 Responses to “Malware with your morning paper”

  1. Stevenon 14 Sep 2009 at 9:15 am

    Great article. I’ve had the same problem with a guitar website I frequently visit. Great site, but the third party that provides the adds is something else….

  2. [...] original here: Network Security Blog » Malware with your morning paper Share and [...]

  3. Munyaon 15 Sep 2009 at 9:32 am

    This is a great post, and I have been researching this and just concluded an investigation of a malware infected host for a large client of mine and the results indicate that the user in question, at my client got the same or very similar pop up that mimicked a windows explorer window telling him his machine was infected, and the was the result of USAToday.com. so they appear to have had the same issues on Sunday and it appears no one has talked about them as yet. Im finalizing my investigation and will be incontact with someone at USA Today hopefully.

    Thx

  4. [...] party ad network vendor they use was serving “scareware” ads on New York Times site. Martin McKeay points out on his blog: “it appears that the code wasn’t directly on a NYT server, rather [...]

Trackback URI | Comments RSS

Leave a Reply

7ads6x98y
%d bloggers like this: