Monday, September 14, 2009

In Brief: The New York Times fake anti-virus redirect

Several people have emailed asking if the fake anti-virus products I mentioned in today's blog article, US Open and VMAs top rogue anti-virus efforts, was the same fake anti-virus that was reported as being launched from advertisements at the New York Times website over the weekend. The truth is, I didn't know! So I looked into it.

The New York Times fessed up that they were having problems in This note on September 13th:

Some readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software. We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser. Questions and comments can be sent to

A second NYT story today tells only SLIGHTLY more information:, see also:

A new advertising network that fed ads to the NYT ran "normal" ads for about a week, then suddenly started advertising malware sites over the weekend. An ad, that at least part of the time redirected to, contained hostile javascript, which redirected to the actual fake AV site.

Some of the domains involved included: which resolved to IP address That IP was also used by:

These actually were shared across several IPs, including: - Berlin, Germany, "" - Sweden, - "" - - Cyprus - Ricomm - UK - Telos Solutions - Netherlands - Ecatel

As I was not a first-hand witness, I'm going to wrap this up short as promised by pointing to a few other blogs:

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.