nytimes spyware
September 13, 2009 3:54 AM Subscribe
What's up with the NY Times trying to install spyware?
...and why is it still trying to this morning? You'd think that their tech folks woulda fixed it by last night.
...and why is it still trying to this morning? You'd think that their tech folks woulda fixed it by last night.
Response by poster: Ack, amateur on 'their' part. I should talk.
posted by leotrotsky at 3:57 AM on September 13, 2009
posted by leotrotsky at 3:57 AM on September 13, 2009
Nothing happened at my end. Can you be more specific?
posted by doctor.dan at 3:58 AM on September 13, 2009
posted by doctor.dan at 3:58 AM on September 13, 2009
Nothing on my end, either. Are you sure it's not something that's been living on your system prior to this?
Unless you're talking about their TimesPeople program that was hanging out at the top of my browser window, and that's their version of a community widget (supposedly. I don't have it installed).
posted by Verdandi at 4:02 AM on September 13, 2009
Unless you're talking about their TimesPeople program that was hanging out at the top of my browser window, and that's their version of a community widget (supposedly. I don't have it installed).
posted by Verdandi at 4:02 AM on September 13, 2009
Response by poster: I'm running a Mac, and it's Windows specific spyware, so probably not.
This is what I'm talking about (internal Metafilter link)
posted by leotrotsky at 4:09 AM on September 13, 2009
This is what I'm talking about (internal Metafilter link)
posted by leotrotsky at 4:09 AM on September 13, 2009
Happened to me just now. I'm on a Mac. I'd like to know the answer too.
posted by ImproviseOrDie at 4:14 AM on September 13, 2009
posted by ImproviseOrDie at 4:14 AM on September 13, 2009
Response by poster: For what it's worth, it only happened the first time I clicked through.
posted by leotrotsky at 4:18 AM on September 13, 2009
posted by leotrotsky at 4:18 AM on September 13, 2009
This happened to me also. A page appeared that looked like windows explorer and I had to force-quit firefox as there was no option other than 'click to install'.
I'm on a mac so I presumed it couldn't do anything, anyway.
posted by a womble is an active kind of sloth at 4:27 AM on September 13, 2009
I'm on a mac so I presumed it couldn't do anything, anyway.
posted by a womble is an active kind of sloth at 4:27 AM on September 13, 2009
Another data point here. Happened to me last night using Safari 4.0.x on OS X.
posted by The Michael The at 4:48 AM on September 13, 2009
posted by The Michael The at 4:48 AM on September 13, 2009
Me too just now
posted by lalochezia at 4:59 AM on September 13, 2009
posted by lalochezia at 4:59 AM on September 13, 2009
mac osx 10.4.X running latest firefox
posted by lalochezia at 4:59 AM on September 13, 2009
posted by lalochezia at 4:59 AM on September 13, 2009
Best answer: I got this as well on the article. Firefox 3.5.3 on WinXP. Page redirects to:
hxxp://protection-check07.com/1/?sess=pGTwzjDwMi02MyZpcD03Ni4xMjcuMTc2LjQmdGltZT0xMjU2OQAMPQdM
which prompts a download of
hxxp://protection-check07.com/download/Scanner-93cfc74_2006-63.exe
Guessing it's a malicious ad server, but could be a hack elsewhere.
posted by reptile at 5:03 AM on September 13, 2009
hxxp://protection-check07.com/1/?sess=pGTwzjDwMi02MyZpcD03Ni4xMjcuMTc2LjQmdGltZT0xMjU2OQAMPQdM
which prompts a download of
hxxp://protection-check07.com/download/Scanner-93cfc74_2006-63.exe
Guessing it's a malicious ad server, but could be a hack elsewhere.
posted by reptile at 5:03 AM on September 13, 2009
I sent them two messages from their web form yesterday afternoon pointing out that this was happening and providing more detailed information in the second message. So even if they didn't see it happening themselves, they should know.
posted by julen at 5:16 AM on September 13, 2009
posted by julen at 5:16 AM on September 13, 2009
The same thing happened to me. I'm running Firefox on a Mac. I was opening a series of new tabs from Google Reader when the fake Windows Explorer-like screen came up, but because all of the links were from different sites, I had no idea which one was the culprit. One of the sites was indeed from the NYT, so it's good to know that I'm not the only one this has happened to.
posted by sabira at 6:27 AM on September 13, 2009
posted by sabira at 6:27 AM on September 13, 2009
Ooh, that's a pretty good one. It looks fairly convincing, and it's hard (not HARD hard, just not instantaneaus) to shut down, even in Chrome.
I got it the first time I clicked that link from the FPP, but not from this page, until the 7th or 8th time I tried.
The Times is going to take a beating over this.
posted by dirtdirt at 6:50 AM on September 13, 2009
I got it the first time I clicked that link from the FPP, but not from this page, until the 7th or 8th time I tried.
The Times is going to take a beating over this.
posted by dirtdirt at 6:50 AM on September 13, 2009
Best answer: We're not the only one to notice it; lots of Twitter discussion. Haven't found any further info, just lots of people linking to the malware. Pretty much any complex website is vulnerable to being taken over at some point.
posted by Nelson at 6:57 AM on September 13, 2009
posted by Nelson at 6:57 AM on September 13, 2009
Best answer: It may not be the NYTimes itself. A lot of times when this has happened, it's been an advertiser on an advertising server doing it.
posted by Chocolate Pickle at 7:14 AM on September 13, 2009
posted by Chocolate Pickle at 7:14 AM on September 13, 2009
Best answer: I suspect it's one of the ads (though I usually have those blocked pretty well.) I also got shunted off to that best-antivirus03 malware site when I tried to read that walking-to-school story.
posted by ubersturm at 7:21 AM on September 13, 2009
posted by ubersturm at 7:21 AM on September 13, 2009
Best answer: I haven't gotten it, but the first time I tried loading the page it was hanging waiting on something from voicefive.com - it looks like they have a tracking pixel on the page, which I guess could be gathering behavioral data or perhaps randomly generating a survey, or something? Maybe that's related? When I tried visiting Voicefive's site an hour ago, they were down, but now they're back up. Just a guess.
Could also be from an ad server, as mentioned above - DoubleClick (who is serving, for example, the IBM and Visa ads on the page) has had troubles in the past being an unwitting mule for malware, and it seems really tricky to catch: DoubleClick is huge and they don't usually have a direct hand in vetting the ads they serve, that's more of the responsibility of the advertiser and the publishing website.
posted by Metroid Baby at 7:38 AM on September 13, 2009
Could also be from an ad server, as mentioned above - DoubleClick (who is serving, for example, the IBM and Visa ads on the page) has had troubles in the past being an unwitting mule for malware, and it seems really tricky to catch: DoubleClick is huge and they don't usually have a direct hand in vetting the ads they serve, that's more of the responsibility of the advertiser and the publishing website.
posted by Metroid Baby at 7:38 AM on September 13, 2009
Best answer: In the past with other large sites, this happens when someone exploits a poorly-run adserver or even just a box in an adserver's content delivery network (CDN). Imagine you're running ads on major sites and you've got a monster farm of boxes to handle the traffic, and then imagine you have some poorly executed plan for keeping every single server patched.
The tough thing for the sites serving multiple ads like the NYT is that you have contact with 50 different ad servers and networks and each page may be loading ads from all of those, but randomly, so troubleshooting which ad network is compromised is really tough.
posted by mathowie at 7:39 AM on September 13, 2009 [1 favorite]
The tough thing for the sites serving multiple ads like the NYT is that you have contact with 50 different ad servers and networks and each page may be loading ads from all of those, but randomly, so troubleshooting which ad network is compromised is really tough.
posted by mathowie at 7:39 AM on September 13, 2009 [1 favorite]
I've been getting this too-- (Firefox, Mac). I've been force quitting and then shutting down the computer entirely. Too paranoid? Is the force quit enough?
Or, it's a clever marketing ploy in anticipation of introducing pay to NYT on line. No more freebies unless you want this obnoxious spyware to pop up everytime. Pay the subscription and the problem goes away!
posted by nax at 7:59 AM on September 13, 2009
Or, it's a clever marketing ploy in anticipation of introducing pay to NYT on line. No more freebies unless you want this obnoxious spyware to pop up everytime. Pay the subscription and the problem goes away!
posted by nax at 7:59 AM on September 13, 2009
Thanks for pointing this out. My first reaction was that Mac OS X was running a virus scan. Then I realized that wasn't possible or I wouldn't even see it happening. You never see the virus scan. I closed the tab and the 'scan' stopped. I don't like it but it seems harmless for now.
posted by birdwatcher at 8:10 AM on September 13, 2009
posted by birdwatcher at 8:10 AM on September 13, 2009
I get it too but it's also happened to me on a few other websites in the last week or so.
Have you just come here to collectively vent/play amateur detective?
I see nothing wrong with that. Isn't amateur detective one of the things AskMe is great for?
posted by otherwordlyglow at 8:29 AM on September 13, 2009
Have you just come here to collectively vent/play amateur detective?
I see nothing wrong with that. Isn't amateur detective one of the things AskMe is great for?
posted by otherwordlyglow at 8:29 AM on September 13, 2009
but this is a completely crappy question for MetaFilter.
No, it's not. Just before clicking on AskMe and noticing this question, I had gotten the spyware from the "Judging Roberts" article. (I'm using Firefox on Windows). I had to cancel the download. Really freaked me out.
And the article I clicked on never appeared.
posted by jayder at 8:32 AM on September 13, 2009 [1 favorite]
No, it's not. Just before clicking on AskMe and noticing this question, I had gotten the spyware from the "Judging Roberts" article. (I'm using Firefox on Windows). I had to cancel the download. Really freaked me out.
And the article I clicked on never appeared.
posted by jayder at 8:32 AM on September 13, 2009 [1 favorite]
Best answer: re whether this is a good or bad question for MetaFilter, I must bow to long-time MeFites for that judgement, but I for one am grateful for this discussion. I was another to be caught by this nyt-linked malware this a.m.; had to force-quit to get out; NYT had no info on it; and when I went to Apple online support found some discussion -- but no help. So thank you mathowie, metroid baby, chocolate pickle, others for explaining and sharing.
posted by Bet Glenn at 8:36 AM on September 13, 2009 [1 favorite]
posted by Bet Glenn at 8:36 AM on September 13, 2009 [1 favorite]
I just got hit by this too. I am not going back to nytimes.com until I see it reported in this thread that they've recognized the problem and have taken steps to resolve it. Not good, NYT!
posted by intermod at 9:35 AM on September 13, 2009
posted by intermod at 9:35 AM on September 13, 2009
I'm going to chime in that it might be coming from an ad on the site. I was surprised to hear that this was happening on the NYT site, since it had JUST happened to me on the SFGate website (San Francisco Chronicle). Same spywear and everything, so I'm assuming bad ad.
posted by The Light Fantastic at 9:51 AM on September 13, 2009
posted by The Light Fantastic at 9:51 AM on September 13, 2009
I love Ask MeFi. I just received the same "computer infected" message that is infuriating to close down.
I've gotten the same crap a dozen times on other websites and was almost "tricked" the first time into thinking it was some system message. It does look "official."
I'm not really bothered that it appeared on the NYT. I'm sure they will fix it. Stuff happens. It worries me however that a "geek" like me can be nearly tricked by this thing tje first time it appears. Imagine the millions who fall for this crap.
Thanks for the message OP, and the subsequent replies. Thinking the NYT was invulnerable to this crap, my biggest concern was that it was somehow embedded on my system. By merely going from the NYT to MeFi, I had my answer in 15 minutes! And I wasn't even looking for it...
posted by private_idaho at 10:02 AM on September 13, 2009
I've gotten the same crap a dozen times on other websites and was almost "tricked" the first time into thinking it was some system message. It does look "official."
I'm not really bothered that it appeared on the NYT. I'm sure they will fix it. Stuff happens. It worries me however that a "geek" like me can be nearly tricked by this thing tje first time it appears. Imagine the millions who fall for this crap.
Thanks for the message OP, and the subsequent replies. Thinking the NYT was invulnerable to this crap, my biggest concern was that it was somehow embedded on my system. By merely going from the NYT to MeFi, I had my answer in 15 minutes! And I wasn't even looking for it...
posted by private_idaho at 10:02 AM on September 13, 2009
Best answer: The New York Times is aware of the problem.
Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software. We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser. Questions and comments can be sent to adtraffic@nytimes.com.
posted by av123 at 10:41 AM on September 13, 2009
Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software. We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser. Questions and comments can be sent to adtraffic@nytimes.com.
posted by av123 at 10:41 AM on September 13, 2009
I've had the same experience on Boing Boing this week. I wrote Mark F. about it, but no response yet. Could be connected to the same advertiser.
posted by yellowcandy at 11:08 AM on September 13, 2009
posted by yellowcandy at 11:08 AM on September 13, 2009
Yeah, this seems to be a problem on a number of sites right now. I've encountered it on the NY Times, some blogs, and other random pages while browsing.
posted by Aanidaani at 12:34 PM on September 13, 2009
posted by Aanidaani at 12:34 PM on September 13, 2009
It happened to me, too. I'm fairly certain I closed everything up without anything being downloaded (certainly, Firefox's download manager didn't appear). How can I, on a Mac, doublecheck to make sure nothing was downloaded to my computer without my knowledge?
posted by ocherdraco at 12:52 PM on September 13, 2009
posted by ocherdraco at 12:52 PM on September 13, 2009
Best answer: Thanks av123 for copying in the text. I'm not clicking on that nytimes link until I hear that this is fixed :)
NYT Digital is a HUGE operation. This should have been fixed 30 minutes after detection, or if they want to claim it's not their fault, then at least a clear explanation of what's going on. 24 hours and counting ...
posted by intermod at 2:30 PM on September 13, 2009
NYT Digital is a HUGE operation. This should have been fixed 30 minutes after detection, or if they want to claim it's not their fault, then at least a clear explanation of what's going on. 24 hours and counting ...
posted by intermod at 2:30 PM on September 13, 2009
Best answer: NYT Digital is a HUGE operation. This should have been fixed 30 minutes after detection
Does their adserving department work on weekends? Maybe they do, but I'd be surprised. And I want to buy them a round of drinks after this kerfuffle.
Full disclosure: I've worked in adserving for a few years. It can be phenomenally stressful. I'm lucky to have never had to deal with a suspicious ad network throwing malware at me, but I have had to deal with calls at 4 am about how so-and-so's roadblock is not live, and it's not our implementation but the other guys' that's at fault so there's nothing we can really do but wait for them to fix it, but the client is still going to have our heads once they hear about this.
If the malware's being loaded from an ad tag, it's possible that the tag's set up to rotate a totally-fine ad 99% of the time, and the hundredth time the creative looks identical, but -- boom -- malware. (I couldn't tell you for sure that this is how it's set up, but it is possible.) Generally, when a website tests ad tags, they're checking that the creative meets specs, doesn't prevent the page from loading, clicks through properly, etc. Malware is a very rare occurrence and I'm not sure many publishers have the time and methods to catch it. I mean, imagine reloading every single ad tag you receive one hundred times. Now imagine that you have five hundred of these tags and they all need to be live by tomorrow morning.
Not only that, advertisers can switch the ads in those tags at any time without any action needed on the publishing site's part. This greatly reduces the workload for both advertiser and publisher, but it's not common practice for advertisers to notify publishers for every creative swap they do, so one morning you wake up and there's an out-of-spec ad on your site where there was an OK one yesterday. I'm willing to bet that whoever's responsible for the malware scheduled the swap for this weekend because they knew no one would be around to catch it right away.
And, I'm not sure if the NY Times has this particular problem since they generally seem to be doing well with the ads, but a lot of advertising budgets have been scaled back, so there's often a scramble to sell remnant inventory, which may mean you have to give in and allow floating ads, or the ads where Obama wants moms to go back to school, or you entertain offers from unfamiliar ad networks.
So I really feel for these guys. Twitter and everywhere are exploding with OMG NYTIMES SUX, for something they probably couldn't have caught in advance.
posted by Metroid Baby at 3:29 PM on September 13, 2009 [4 favorites]
Does their adserving department work on weekends? Maybe they do, but I'd be surprised. And I want to buy them a round of drinks after this kerfuffle.
Full disclosure: I've worked in adserving for a few years. It can be phenomenally stressful. I'm lucky to have never had to deal with a suspicious ad network throwing malware at me, but I have had to deal with calls at 4 am about how so-and-so's roadblock is not live, and it's not our implementation but the other guys' that's at fault so there's nothing we can really do but wait for them to fix it, but the client is still going to have our heads once they hear about this.
If the malware's being loaded from an ad tag, it's possible that the tag's set up to rotate a totally-fine ad 99% of the time, and the hundredth time the creative looks identical, but -- boom -- malware. (I couldn't tell you for sure that this is how it's set up, but it is possible.) Generally, when a website tests ad tags, they're checking that the creative meets specs, doesn't prevent the page from loading, clicks through properly, etc. Malware is a very rare occurrence and I'm not sure many publishers have the time and methods to catch it. I mean, imagine reloading every single ad tag you receive one hundred times. Now imagine that you have five hundred of these tags and they all need to be live by tomorrow morning.
Not only that, advertisers can switch the ads in those tags at any time without any action needed on the publishing site's part. This greatly reduces the workload for both advertiser and publisher, but it's not common practice for advertisers to notify publishers for every creative swap they do, so one morning you wake up and there's an out-of-spec ad on your site where there was an OK one yesterday. I'm willing to bet that whoever's responsible for the malware scheduled the swap for this weekend because they knew no one would be around to catch it right away.
And, I'm not sure if the NY Times has this particular problem since they generally seem to be doing well with the ads, but a lot of advertising budgets have been scaled back, so there's often a scramble to sell remnant inventory, which may mean you have to give in and allow floating ads, or the ads where Obama wants moms to go back to school, or you entertain offers from unfamiliar ad networks.
So I really feel for these guys. Twitter and everywhere are exploding with OMG NYTIMES SUX, for something they probably couldn't have caught in advance.
posted by Metroid Baby at 3:29 PM on September 13, 2009 [4 favorites]
NY Times advice on what you should do if you got redirected.
posted by ocherdraco at 12:24 AM on September 14, 2009
posted by ocherdraco at 12:24 AM on September 14, 2009
Article says "the Times believes it has eliminated these ads", so I guess it's safe to go back into the water.
posted by intermod at 4:45 AM on September 14, 2009
posted by intermod at 4:45 AM on September 14, 2009
story posted to SlashDot last night
Still no specifics as to which ad network let this through, but there is one scary comment that someone saw this on CNN.com yesterday. If NYTimes isn't telling us, hopefully they're at least telling their colleagues at the ther major digital properties so that they can disconnect from the same ad network.
posted by intermod at 5:02 AM on September 14, 2009
Still no specifics as to which ad network let this through, but there is one scary comment that someone saw this on CNN.com yesterday. If NYTimes isn't telling us, hopefully they're at least telling their colleagues at the ther major digital properties so that they can disconnect from the same ad network.
posted by intermod at 5:02 AM on September 14, 2009
Best answer: Learning From the NY Times Attack Ad -- "The NYTimes.com site warned Sunday that it had inadvertently displayed an 'unauthorized advertisement' over the weekend that tried to use fake malware warnings to trick viewers into installing scareware."
posted by ericb at 3:05 PM on September 14, 2009
posted by ericb at 3:05 PM on September 14, 2009
Best answer: Today's Times explains what happened.
posted by Obscure Reference at 7:40 PM on September 14, 2009
posted by Obscure Reference at 7:40 PM on September 14, 2009
Best answer: Someone fully analyzed what it did and posted here. Several URLs on that page which would be good to add to block lists!
posted by Chocolate Pickle at 9:57 PM on September 14, 2009
posted by Chocolate Pickle at 9:57 PM on September 14, 2009
Best answer: From the Times' explanation provided by Obscure Reference above:
Because The Times thought the campaign came straight from Vonage, which has advertised on the site before, it allowed the advertiser to use an outside vendor that it had not vetted to actually deliver the ads, Ms. McNulty said. That allowed the switch to take place. "In the future, we will not allow any advertiser to use unfamiliar third-party vendors," she said.
And the troy.yort.com analysis above has some awesome technical sleuthing. Which they had figured out by Saturday night. It took NYT until early Monday morning to do the same.
Here's what they should have done, from the same NYT article linked above:
The malicious ads and software can damage a Web site’s reputation and make its visitors nervous. The Register, a British technology news site, was hit in 2004. “We took down all of our ads for several days, even when we were told the problem had been fixed,” said Drew Cullen, an editor for the Web site. "We wanted to make absolutely certain that everything was fine, so that our readers would have faith in us."
But that's a lot of ad revenue to lose.
posted by intermod at 5:30 AM on September 16, 2009
Because The Times thought the campaign came straight from Vonage, which has advertised on the site before, it allowed the advertiser to use an outside vendor that it had not vetted to actually deliver the ads, Ms. McNulty said. That allowed the switch to take place. "In the future, we will not allow any advertiser to use unfamiliar third-party vendors," she said.
And the troy.yort.com analysis above has some awesome technical sleuthing. Which they had figured out by Saturday night. It took NYT until early Monday morning to do the same.
Here's what they should have done, from the same NYT article linked above:
The malicious ads and software can damage a Web site’s reputation and make its visitors nervous. The Register, a British technology news site, was hit in 2004. “We took down all of our ads for several days, even when we were told the problem had been fixed,” said Drew Cullen, an editor for the Web site. "We wanted to make absolutely certain that everything was fine, so that our readers would have faith in us."
But that's a lot of ad revenue to lose.
posted by intermod at 5:30 AM on September 16, 2009
This thread is closed to new comments.
posted by leotrotsky at 3:57 AM on September 13, 2009