The New York Times Explains How It Got Hacked: It Sold an Ad to a Hacker
How did the New York Times end up serving a fake–and potentially dangerous–ad from its NYTimes.com site over the weekend? It got paid to do it.
That’s the unsettling story that comes out of the Times’s explanation of the incident, in which an untold number of the sites’ visitors were served up with an ad promoting malware.
The attack, which the Times says was also directed at other, unnamed news organizations, is worrisome enough. But the fact that the culprits behind it essentially walked right into the front door of the New York Times (NYT) and conned the paper into distributing the fraudulent ads is really scary.
The short version: The Times says that someone who “masqueraded as a national advertiser” bought ad space on the site, which is visited by some 45 million people a month from the U.S. alone. The unnamed buyer “provided seemingly legitimate product advertising for a week.”
UPDATE: The Times says the fake ads were for Internet phone service Vonage.
Then, over the weekend, the culprits started churning out the malware. The Times has issued a statement explaining some of what happened, which I’m reprinting at the bottom of this post (the paper also has a consumer guide to help you protect yourself from malware, viruses and other Web unpleasantness).
But the statement is a bit confusing and seems to indicate that the paper was compromised by an ad network it used to sell remnant space on the site. That’s what I thought might have happened at first, and that’s what the paper’s tech staff thought as well–note the reference to “suspending all third-party advertisements on the site.”
But I double-checked with Times spokeswoman Diane McNulty, who confirmed that that paper’s own staff had sold the fake ad.
How could this happen? I don’t know–anyone with Web buying experience want to weigh in? But I do know that it’s not the first time bogus ad buyers have bought space directly from publishers.
Earlier this year, I wrote about an incident in which someone pretended to buy ads on behalf of Hyundai. And that story elicited a response from an ad exec at a very big, very well-known Web publisher, who told me that in 2008, his employer had received a large order on behalf of a different auto company, and ran some of the ads before figuring out they were fakes.
Here’s the Times’s explanation:
As you know, over the weekend, nytimes.com was the victim of a malware attack that targeted several news organizations. The culprit masqueraded as a national advertiser and provided seemingly legitimate product advertising for a week. Over the weekend, the ad being served up was switched so that an intrusive message, claiming to be a virus warning from the reader’s computer, appeared.
As soon as we were made aware of the situation, we took aggressive steps, suspending all third-party advertisements on the site. We posted information about the attack on our home page and directed readers on what to do if they encountered the malicious code. There is additional information posted today on our homepage and our Gadgetwise personal technology blog.
We now know how it occurred and have taken steps to prevent a similar situation from happening.