Rogue ad hits New York Times site

Updated at 5:50 p.m. PDT September 14 with explanation from The New York Times.

The New York Times' Web site is grappling with problems created by an "unauthorized advertisement," but it is unknown how the ads managed to appear on the site and whether the site had been compromised.

The rogue ad warns readers that their computer may be infected with a virus and redirects them to a site that purports to offer antivirus software, according to a note posted to the newspaper's Media & Advertising section:

Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software. We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser.

The site, best-antivirus03.com, is a so-called hijacker that uses fraudulent strategies to promote fake security software, according to security site GeekPolice.net.

One CNET reader described how the pop-up ad essentially hijacked his browser, preventing him from navigating away from the site.

"They took me to an 'antivirus site,' which kept attempting to scan my computer and install software. Using the back button kept reloading the virus page," the reader said. "It was not possible to close the page, necessitating a force quit."

Update with explanation from The New York Times:

The New York Times said the offending ad was provided by someone posing as a national advertiser with a legitimate-looking advertising product. Over the weekend that ad being served up was swapped out so that the offending ad would appear, the Times said.

"As soon as we were made aware of the situation, we took aggressive steps, suspending all third-party advertisements on the site," Diane McNulty, executive director of Community Affairs and Media Relations, said in a statement. "We now know how it occurred and have taken steps to prevent a similar situation from happening."

[inachu1]

Must mean the newspaper giant is really in need for some quick cash by doing this.
NEVER Do third party advertisements.
CNET/NEW.com learned their lesson years ago from shady infected downloads.

I think cnet can advise the newspaper giant on how to do things the right way.

[redwall_hp]

I used to handle ad sales myself, but it got to be too time-consuming for a single-man operation. I now use the BuySellAds.com marketplace, which I consider to be one of the most progressive ad networks in business. (The same network used by Envato's *TUTS sites, among other major blogs in the web design and development industry.)

They don't accept any Flash-based ads, just JPG, GIF, and PNG. They let you set your own prices for placements, and you get final approval before an ad goes live.

There are other interesting networks, like Fusion Ads and The Deck that are similarly for a better experience for the users and publishers.

Simply staying away from third-party ads isn't necessarily the solution. Staying away from large networks like TribalFusion and FastClick that let advertisers pay peanuts to run highly obnoxious, and occasionally malicious ads. While I'm sure networks like TribalFusion ad FastClick have an approval process, things do slip through. The only solution is to not allow any Flash-based ads.

[Harlan879]

Yeah, I saw that too. Really weird. I was able to kill the hijack by closing a Firefox tab before the page had fully loaded, but very disconcerting...

[datamuncher]

Had it happen to me this afternoon while browsing NYT online. Was wondering whence it came. Just love how the hijacked browser windows came decked out in Windows XP color scheme and UI. For us Mac users, the immediate response is "flush it down the pipes immediately", and Safari nicely obliged. I especially liked the scanner working through all the .dll's on my iMac and finding some worms !

[gsmiller88]

Hehe, it's always nice seeing those pop ups with the Windows UI pop up in OS X.

*GASP* My Mac is infected with.....Windows XP?

[face0]

This happened to me on newsweek.com last week....I suspected it came from doubleclick then...

[albertsoler]

Same here; also at newsweek and one other site -- but memory fails me. I thought something had corrupted my DNS cache. But, apparently, this thing is making the rounds pretending to be legit. Fortunately, my browser is marginally safer and did not get a foothold -- at least it doesn't appear it has.

I've had several people come to me this past summer with just this type of infection. It has rootkit-like behavior and is very difficult to clean. I told them I could spend several hours trying to clean it, with little hope of success. Or, I could preserve their files, then wipe out the drive and do a fresh install. Believe me, the latter is easier and less frustrating.

[BorealisOutdoor]

I've encountered such ads twice in the past three years, both times on a newspaper site. I think it has more to do with lack of scrutiny by media ad reps than a third party "compromising" the the media websites. Serves 'em right if they lose out on potential advertising revenue as more readers install ad blocking applications.

[passeos]

My computer absolutely melted down while on the Times site yesterday. It was terrifying to watch all the different things it was doing. It wasn't a simple pop-up. The Times site says to e-mail with questions, but all the people at the other end are "out of the office." They don't even use pop-ups like Washington Post, SI.com and sometimes Fox, so I was shocked. I was using Firefox, and couldn't get anything to close, so I did a very hard reboot.

[powerlloyd]

I found in in the NYT "Disney :Yellow Submarine" article.
It was very cute, watching it 'scan' my Mac......
"Sorry folks, don't need your 'antivirus'.
My OS has an actual immune system, thank you, now go away."
Backed out it ok & on with the news, Safari just ignored it & went on w/life.

[sabre3901]

Ok I know this virus is obviously directed at Pc users. But when are you Mac users going to realize that just like Pc's Macs can get viruses. Don't believe the Apple propaganda that Macs cannot get viruses it simply isn't true!

[powerlloyd]

Name one

[Alzoid]

Mac being "immune" is just the crap they push for marketing, they aren't as vulnerable as pcs, but they are in no way immune.

http://www.msnbc.msn.com/id/12537279/

2006 Article. So this crap isn't new.

[powerlloyd]

I did not say virus-proof.
I Said :
Name One Virus for OSX. Now.
For that matter, up to now.
I mean an OSX Virus. Now.
If we have to, we'll cross that bridge & buy sandbags, later.
What about Now ?

[powerlloyd]

Thank You,
I read the article. Not very detailed, was it ?
I have been offered the chance to install Updates, Quicktime Codecs and the like.
If it's not from someone I trust, I don't.
Anyone who clicks 'OK' to install malware on their machine gets what they ask for,
that is not 'viral' vectoring.
That is a willing act of stupidity.

[qitupxx]

How about the OSX/Leap-A worm virus?
Its old though.

[powerlloyd]

Fair, good call.
http://www.symantec.com/security_response/writeup.jsp?docid=2006-021614-4006-99

Close more worm/trojan, not 'virus', not successful, either.
Never propagated in the wild.
I don't believe that trick will work anymore in OSX.
If not someone can jump in....

From a 2/2006 article :
?You cannot be infected by this unless you do all of the following:
1) Are somehow sent (via email, iChat, etc.) or download the ?latestpics.tgz? file
2) Double-click on the file to decompress it
3) Double-click on the resulting file to ?open? it
...and then for non-Admin users, it fails to infect most applications.?

[powerlloyd]

Sorry, I know I'm beating this poor horse to death,
the Bucs lost & I'm cranky. Beer is more fun, I'm logging out.....

I just read all the OSX Variant Definitions @ Symantec Site.
The interesting similarity they all shared was this :

Threat Assessment : Wild
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Damage
Damage Level: Low
Distribution
Distribution Level: Low

Until one of you 'Macs just gotta have a virus guys/gals' writes a good one,
I will not be lied to & extorted into paying for Anti-Virus Software I Simply Don't Need.
G'nite. It's Beer Thirty.......

[bananaphonerules]

@powerlloyd
The stats are deceptive. the come from users that have that company's anti-virus installed.
So a MAC (or Windows) user that has no AV can be infected...but they won't show on the stats.

Add the opinion that 'MACs don't get virus' and 'we dont need no stinking AV'. How many people do you think will show in these stats?

[captainmorgan1]

So why would you click on a flashing ad that says you have a virus if you own a Macintosh, which is nearly immune to viruses developed for PC's? Are you a ... flag bearer or just genuinely interested in showing the world how little you know? You admit to knowing you won't get a virus, ever, but continue to click on random things.

And people wonder why bad things happen to them? They generally ask for it half the time. P.s. why on Earth would anyone be interested in a "Disney remake" of a Beatles movie? People these days...
[CNET editor's note: Offensive comment deleted.]

[wahoospa]

I tell people when one of these pops up on their desktop do not touch it with the mouse, just press and hold your power button to shut the PC down, reboot and don't go back to that site again.
There is no way out except to shut down the PC. If you click anywhere on it, even the "X" in the top right corner, or click cancel, it will instantly load you with a virus.

[MadLyb]

Kind of uninformed and possibly even doing harm with your advice.

You can always kill the browser process and eliminate the issue. Meanwhile, doing a hard shutdown can be quite dangerous.

Of course, the freaking browser should stop this crap in the first place.

[Hokulea]

Rather than click on anything withing the browser, just use Alt + F4 to shut it down.

[atomD21]

I tell people to go buy a new PC. It's the only guarantee.

[ranger321ring]

The process cannot always be canceled several of these hijacks sites also create clones of ie. this happened to me, and I was forced to do a reset to factory to eliminate it.

[gomer43]

@atomD21: Best. Comment. Ever.

[rapier1]

Do a hard shut down? Really? Okaaay...

As for the browser stopping this crap in the first place - you really need to address the 'alert' and 'confirm' behaviours in javascript more than in the browser itself. Since both of these steal focus and require interaction there are any number of ways to manipulate this to create these sort of badly behaved pages.

[wahoospa]

I just went there to test it, the home page was ok. I clicked on "WORLD" on the left side for world news and BAM! it showed up. Cut my machine off by the power button and rebooted and everything is ok according to my Avira anti-virus and Malwarebytes.

[mjconver]

LOL.

Firefox + Adblock + NoScript == No Problem

Chrome and IE == See ya later, dummy

[cp256]

Amen to that. Anyone who cares about their system should use those.

[SactoGuy018]

As a user of Symantec's Norton Internet Security 2009 at the time, I saw this happen when I was surfing the New York Times' website with Google Chrome. Fortunately, I quickly closed the web browser, ran a NIS 2009 Full System Scan using the current malware definitions, and found no malware problems.

Small wonder why I quickly reported this to Symantec Tech Support, and since I have an NIS yearly subscription, quickly upgraded to Norton Internet Security 2010 and (cross my fingers!) hopefully won't see it again anytime soon!

[mudphud]

I saw it this morning to. Safari, with pop-ups turned off (I know it's not a protection, but it does cut down on some annoyances). It seemed like when I went to click on part of the article, the cursor hit the ad and launched it. I thought it was odd since I wasn't near it, but I just thought I was mistaken. Regardless, killed the window despite the enticing shiny buttons, no harm done.

[brienza1975]

I think they finally got rid of it. I clicked on alot of links and nothing popped up.

[shurbetr]

Saw that this morning too. MS Security Essentials Beta flagged it immediately. NICE.

[Hokulea]

Rather than click on anything withing the browser, just use Alt + F4 to shut it down. It works with Firefox on Windows PC's.

[EvanSei]

yea I run a pc so this could cause a problem except I am running windows7 so take that ha, I use a great antivirus, oh and to top it off I only use safari, or chrome for browsing (thanks for the great programs Apple, google) so neener neener neener you can't infect me. by the way my tong is out childish I know

[brienza1975]

Your tong?????? I only use Opera...does anybody remember that browser??????????????

[EvanSei]

@brienza1975
opps I meant tongue not tong, any ways I downloaded Opera about a week ago after hearing about it from a friend I personally did not like it and deleted it. so yea people still use it if they didn't I would not have heard about it.

[zentropic]

This NYT-derived junk hit me twice this weekend (XP Pro/Explorer 8.0 with all the upgrades). I immediately killed the Explorer process and added the crooks to my hosts file as

127.0.0.1 protection-check07.com

The readers using the Windows PCs would be well advised to copy the 20,000-long rogue sites hosts file into their c:/windows/system32/dirvers/etc or other appropriate folder; I've been using this simple and effective method for years now as it cuts down dramatically on junk, ads and other web vermin.

Read http://www.mvps.org/winhelp2002/hosts.htm for more details.

--z.entropic

[amitg1979]

If they find out who did it, do what MS does and sue the heck out of them. Microsoft has been going after these type of companies for years and have one every one of them.

[cloudmatt]

won not one. and are you sure I've never seen data to support that. not saying your wrong just like to know your source for saying this.

[mbenedict]

Microsoft routinely work with state and federal governments to shut down scareware companies.

State level example (civil lawsuit under Washington State's "Computer Spyware Act"):

http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=186100351

Federal level example (FTC restraining order):

http://news.bbc.co.uk/2/hi/technology/7779223.stm

[CaptAdventure]

@cloudmatt since you felt like fixing amitg1979's post, I thought I'd do you the same...
"you're" (not "your") wrong.

[SteamChip]

Aren't most of these guys in Russia, Rumania and elsewhere in that part of the world, local heroes making thousands monthly, boosting their local economy and unreachable by Microsoft?

[winstein]

I've seen this for a couple of weeks already. It is not just NYT, but it was on ESPN site and some recipe sites before. This is getting so bad that I almost want to give-up PC and ask the entire industry to start over again!

Got hit browsing either Yahoo or Orlando Sentinel this weekend as well. It's not just the NYT as I was nowhere near that site at the time.