When visitors to The New York Times website began falling victim to a fake anti-virus ad that attempted to install malware on readers' computers, some, myself included, suspected that the ad was probably being served through an ad network.

According to The Times, about half of the ads that are served on its website come from ad networks and they are an obvious target for scammers looking to distribute rogue ads that deliver malware.

But as it turns out, the rogue ad that was wreaking havoc with some Times readers was actually sold by The New York Times itself.

As Ashlee Vance of The Times details in an article on the matter, a scammer masquerading as VoIP company Vonage purchased ad inventory from The Times. Since The Times has sold ads to Vonage in the past, it allowed the scammer to serve up the ads from a third party ad server that had not been vetted. For a while, real Vonage ads were displayed but as early as late Friday the scammer switched the ads on the third party ad server to spread a rogue ad promoting fake anti-virus software.

While malware posing as anti-virus software and rogue ads are nothing new, the attack against New York Times readers is notable. It affected enough people to attract attention and the scammers were brazen enough to actually purchase advertising directly from The Times itself despite, as Vance points out, the inherent risks involved.

The incident highlights several things:

  • The increasingly sophisticated nature of online crime. It's a safe bet that the scammers who targeted The Times are not amateurs. That online criminals would buy advertising from a brand publisher and serve legitimate ads for some time hints at the lengths scammers will go to hook more victims. The reason is obvious: cybercrime is big business.
  • The difficulty publishers have in protecting themselves and their users. It's apparent from Vance's description of the events that transpired this weekend that publishers are extremely vulnerable in part because selling and displaying advertising is fairly complex and often involves many parties. Tracking down a rogue ad and identifying where it is being served from seems easy at first. But when you have direct relationships with potentially hundreds of advertisers at any given time and then have relationships with multiple ad networks that are serving ads for potentially hundreds or thousands of campaigns, it's no surprise that tracking down the source of this attack was so difficult.

So what are publishers to do?

To start, the best offense is always a good defense. Vetting ad buys and where ads are being served from is a good idea. According to Times spokeswoman Diane McNulty, the company "will not allow any advertiser to use unfamiliar third-party vendors" going forward.

And while The Times wasn't the victim of a rogue ad from an ad network, ad networks need to be evaluated carefully:

  1. Less may be more. In my opinion, many publishers use too many ad networks and I'm not sure it's usually necessary. From a security standpoint, the chances of something bad happening increase as you add more third party code to your site and this includes ad network code.
  2. Due diligence is required. Most ad networks rely on other networks to fill inventory they can't move. You can see where this leads when it comes to the possibility of rogue ads finding their way onto a site. That's why it's so important for publishers to understand how their ad networks operate and who they work with. With this information, better decisions can be made (for instance many ad networks let you serve your own defaults if you choose and this may be a better option that being paid pennies for remnant ads).

The internet isn't a safe place. From your WordPress installation to the ads you serve, scammers are looking for ways to piggyback on your audience to do their dirty work and you can't let your guard down if you hope to repel them.

Photo credit: CarbonNYC via Flickr.

Patricio Robles

Published 15 September, 2009 by Patricio Robles

Patricio Robles is a tech reporter at Econsultancy. Follow him on Twitter.

2641 more posts from this author

You might be interested in

Comments (2)


Gene De Libero

Patricio - the money quote for me is the comment near the end where you say, "That's why it's so important for publishers to understand how their ad networks operate and who they work with." If we're going to embrace ad networks, then we need a plan for care and feeding of same. Failure to plan courts problems and failure to act is no excuse. Most publishers I've worked with want revenue at any cost. Throw as many ad network up as you can, as fast as you can. Today's article in the Times indicated that they're pulling ~50% of their adverts from ad networks! I wonder how many people they have managing those ad networks?

almost 9 years ago


Nicholas Leck

New York Times is has an estimated 17.5 million unique visitors a month. Opening up this many people to a security threat such as this could be a catastrophe if it is viral in nature. NYT.com is one of the top 100 websites on earth. It has an online department bigger than their print department. Maybe they should consider having a malware monitoring and detection service running. It is as easy as switching the monitoring services it on; the monitoring service scans your site for any uncommon site behaviour and notifies the site owners. It is almost as if these companies are using their own visitors as the monitoring system, waiting for them to get hacked, then responding to the attack once they make a complaint.

almost 9 years ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.