The New York Times fessed up that they were having problems in This note on September 13th:
Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software. We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser. Questions and comments can be sent to webeditor@nytimes.com.
A second NYT story today tells only SLIGHTLY more information:
http://bits.blogs.nytimes.com/2009/09/14/times-site-was-victim-of-a-malicious-ad-swap/?hpw, see also: http://gadgetwise.blogs.nytimes.com/2009/09/14/what-to-do-if-you-saw-an-antivirus-pop-up-ad/
A new advertising network that fed ads to the NYT ran "normal" ads for about a week, then suddenly started advertising malware sites over the weekend. An ad, that at least part of the time redirected to russell-brand.cn, contained hostile javascript, which redirected to the actual fake AV site.
Some of the domains involved included:
protection-check07.com which resolved to IP address 88.198.107.25. That IP was also used by:
antivirusonlinescan03.com
antispywarescanner07.com
antispywarescanner08.com
best-antivirus03.com
best-spyware-scan01.com
best-spyware-scan03.com
intellectual-vir-scan08.com
intellectual-vir-scan09.com
malwareinternetscanner03.com
online-antivir-scan09.com
protection-check07.com
quick-virus-scanner01.com
quick-virus-scanner02.com
quick-virus-scanner08.com
reliable-scanner02.com
reliable-scanner05.com
These actually were shared across several IPs, including:
78.46.251.43 - Berlin, Germany, "your-server.de"
88.198.107.25 - Sweden, - "your-server.de"
88.198.120.177 - your-server.de
91.212.107.5 - Cyprus - Ricomm
91.212.127.200 - UK - Telos Solutions
94.102.51.26 - Netherlands - Ecatel
As I was not a first-hand witness, I'm going to wrap this up short as promised by pointing to a few other blogs:
http://ddanchev.blogspot.com/2009/09/ukrainian-fan-club-features.html
http://troy.yort.com/anatomy-of-a-malware-ad-on-nytimes-com
No comments:
Post a Comment
Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.