Rogue ad leads to fake anti-Virus (Update 2)

Update 2:

Kerry Scott from the New York Times sent over the following:

"The culprit masqueraded as a national advertiser and provided seemingly legitimate product advertising for a week. Over the weekend, the ad being served up was switched so that an intrusive message, claiming to be a virus warning from the reader's computer, appeared.

"As soon as we were made aware of the situation, we took aggressive steps, suspending all third-party advertisements on the site. We posted information about the attack on our home page and directed readers on what to do if they encountered the malicious code."

In addition, NYT has taken steps to ensure it doesn't happen again by giving the advertising platform a makeover.


While we haven't yet heard back from anyone over at NYT, Troy Davis offers a good technical look at the attack through his official blog


Original article:

On Sunday afternoon, The New York Times issued a warning that some readers were being directed to a website offering anti-Virus protection following the appearance of infection pop-up alerts. Such infection notices, and the resulting fake scans that report dozens of supposed infections, is a common ploy used by rogue anti-Virus software.

“We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser,” said the NY Times in a post to readers.

The rogue anti-Virus, an example of which can be seen below, is a gimmick that actually generates decent income for some of the criminals who spread it. They are paid for getting someone to install it, and will sometimes take a cut if someone registers it.

The situation is grim either way for the user because, if not registered, the rogue anti-Virus will hinder system performance, block access to various websites and security applications, as well as open the system for further malicious downloads. If the fake software is registered, not only is there a loss of money, but any personal information submitted during the registration process is compromised as well.

What is known so far is that the rogue anti-Virus attack came from the advertisements served on There was no pattern to the anti-Virus warnings, which appeared as an article was loaded. Reports on CNET as well as All Things D, had readers commenting that the malicious ads were shown with several articles both past and present.

The problem is that uses different channels for advertisements, so the appearance of rogue anti-Virus ads might be the freak result of a blind ad buy. In the past, legitimate ads have been hijacked to serve Malware by advertising networks that either didn’t catch the malicious ads in screening, or simply do not check the ads ordered. To that end, there is no clear explanation for the fake alerts at this time.

The Tech Herald has asked the New York Times for more information on the attack, as well as an update on the overall issue. We will refresh this article if and when the publication responds.

Want regular updates from The Tech Herald? Follow us on Twitter.

Interested in a more interactive TTH? Join our Facebook Group.

Like this article? Please share on Facebook and give The Tech Herald a Like too!