nytimes spyware
September 13, 2009 3:54 AM

What's up with the NY Times trying to install spyware?

...and why is it still trying to this morning? You'd think that their tech folks woulda fixed it by last night.
posted by leotrotsky to Computers & Internet (42 answers total) 4 users marked this as a favorite
I click on this link, and some crappy spyware tries to install itself. Very uncool, and pretty amateur on there part. I noticed the same thing happened to folks last night from another NY Times link. What's up with this, and why haven't they fixed it yet?
posted by leotrotsky at 3:57 AM on September 13, 2009


Ack, amateur on 'their' part. I should talk.
posted by leotrotsky at 3:57 AM on September 13, 2009


Nothing happened at my end. Can you be more specific?
posted by doctor.dan at 3:58 AM on September 13, 2009


Nothing on my end, either. Are you sure it's not something that's been living on your system prior to this?

Unless you're talking about their TimesPeople program that was hanging out at the top of my browser window, and that's their version of a community widget (supposedly. I don't have it installed).
posted by Verdandi at 4:02 AM on September 13, 2009


I'm running a Mac, and it's Windows specific spyware, so probably not.

This is what I'm talking about (internal Metafilter link)
posted by leotrotsky at 4:09 AM on September 13, 2009


Happened to me just now. I'm on a Mac. I'd like to know the answer too.
posted by ImproviseOrDie at 4:14 AM on September 13, 2009


For what it's worth, it only happened the first time I clicked through.
posted by leotrotsky at 4:18 AM on September 13, 2009


This happened to me also. A page appeared that looked like windows explorer and I had to force-quit firefox as there was no option other than 'click to install'.

I'm on a mac so I presumed it couldn't do anything, anyway.
posted by a womble is an active kind of sloth at 4:27 AM on September 13, 2009


Another data point here. Happened to me last night using Safari 4.0.x on OS X.
posted by The Michael The at 4:48 AM on September 13, 2009


Me too just now
posted by lalochezia at 4:59 AM on September 13, 2009


mac osx 10.4.X running latest firefox
posted by lalochezia at 4:59 AM on September 13, 2009


I got this as well on the article. Firefox 3.5.3 on WinXP. Page redirects to:
hxxp://protection-check07.com/1/?sess=pGTwzjDwMi02MyZpcD03Ni4xMjcuMTc2LjQmdGltZT0xMjU2OQAMPQdM
which prompts a download of
hxxp://protection-check07.com/download/Scanner-93cfc74_2006-63.exe

Guessing it's a malicious ad server, but could be a hack elsewhere.
posted by reptile at 5:03 AM on September 13, 2009


I sent them two messages from their web form yesterday afternoon pointing out that this was happening and providing more detailed information in the second message. So even if they didn't see it happening themselves, they should know.
posted by julen at 5:16 AM on September 13, 2009


The same thing happened to me. I'm running Firefox on a Mac. I was opening a series of new tabs from Google Reader when the fake Windows Explorer-like screen came up, but because all of the links were from different sites, I had no idea which one was the culprit. One of the sites was indeed from the NYT, so it's good to know that I'm not the only one this has happened to.
posted by sabira at 6:27 AM on September 13, 2009


Ooh, that's a pretty good one. It looks fairly convincing, and it's hard (not HARD hard, just not instantaneaus) to shut down, even in Chrome.

I got it the first time I clicked that link from the FPP, but not from this page, until the 7th or 8th time I tried.

The Times is going to take a beating over this.
posted by dirtdirt at 6:50 AM on September 13, 2009


We're not the only one to notice it; lots of Twitter discussion. Haven't found any further info, just lots of people linking to the malware. Pretty much any complex website is vulnerable to being taken over at some point.
posted by Nelson at 6:57 AM on September 13, 2009


It may not be the NYTimes itself. A lot of times when this has happened, it's been an advertiser on an advertising server doing it.
posted by Chocolate Pickle at 7:14 AM on September 13, 2009


I suspect it's one of the ads (though I usually have those blocked pretty well.) I also got shunted off to that best-antivirus03 malware site when I tried to read that walking-to-school story.
posted by ubersturm at 7:21 AM on September 13, 2009


I haven't gotten it, but the first time I tried loading the page it was hanging waiting on something from voicefive.com - it looks like they have a tracking pixel on the page, which I guess could be gathering behavioral data or perhaps randomly generating a survey, or something? Maybe that's related? When I tried visiting Voicefive's site an hour ago, they were down, but now they're back up. Just a guess.

Could also be from an ad server, as mentioned above - DoubleClick (who is serving, for example, the IBM and Visa ads on the page) has had troubles in the past being an unwitting mule for malware, and it seems really tricky to catch: DoubleClick is huge and they don't usually have a direct hand in vetting the ads they serve, that's more of the responsibility of the advertiser and the publishing website.
posted by Metroid Baby at 7:38 AM on September 13, 2009


In the past with other large sites, this happens when someone exploits a poorly-run adserver or even just a box in an adserver's content delivery network (CDN). Imagine you're running ads on major sites and you've got a monster farm of boxes to handle the traffic, and then imagine you have some poorly executed plan for keeping every single server patched.

The tough thing for the sites serving multiple ads like the NYT is that you have contact with 50 different ad servers and networks and each page may be loading ads from all of those, but randomly, so troubleshooting which ad network is compromised is really tough.
posted by mathowie at 7:39 AM on September 13, 2009


I've been getting this too-- (Firefox, Mac). I've been force quitting and then shutting down the computer entirely. Too paranoid? Is the force quit enough?

Or, it's a clever marketing ploy in anticipation of introducing pay to NYT on line. No more freebies unless you want this obnoxious spyware to pop up everytime. Pay the subscription and the problem goes away!
posted by nax at 7:59 AM on September 13, 2009


Thanks for pointing this out. My first reaction was that Mac OS X was running a virus scan. Then I realized that wasn't possible or I wouldn't even see it happening. You never see the virus scan. I closed the tab and the 'scan' stopped. I don't like it but it seems harmless for now.
posted by birdwatcher at 8:10 AM on September 13, 2009


I get it too but it's also happened to me on a few other websites in the last week or so.

Have you just come here to collectively vent/play amateur detective?

I see nothing wrong with that. Isn't amateur detective one of the things AskMe is great for?
posted by otherwordlyglow at 8:29 AM on September 13, 2009


but this is a completely crappy question for MetaFilter.

No, it's not. Just before clicking on AskMe and noticing this question, I had gotten the spyware from the "Judging Roberts" article. (I'm using Firefox on Windows). I had to cancel the download. Really freaked me out.

And the article I clicked on never appeared.
posted by jayder at 8:32 AM on September 13, 2009


re whether this is a good or bad question for MetaFilter, I must bow to long-time MeFites for that judgement, but I for one am grateful for this discussion. I was another to be caught by this nyt-linked malware this a.m.; had to force-quit to get out; NYT had no info on it; and when I went to Apple online support found some discussion -- but no help. So thank you mathowie, metroid baby, chocolate pickle, others for explaining and sharing.
posted by Bet Glenn at 8:36 AM on September 13, 2009


I just got hit by this too. I am not going back to nytimes.com until I see it reported in this thread that they've recognized the problem and have taken steps to resolve it. Not good, NYT!
posted by intermod at 9:35 AM on September 13, 2009


I'm going to chime in that it might be coming from an ad on the site. I was surprised to hear that this was happening on the NYT site, since it had JUST happened to me on the SFGate website (San Francisco Chronicle). Same spywear and everything, so I'm assuming bad ad.
posted by The Light Fantastic at 9:51 AM on September 13, 2009


I love Ask MeFi. I just received the same "computer infected" message that is infuriating to close down.

I've gotten the same crap a dozen times on other websites and was almost "tricked" the first time into thinking it was some system message. It does look "official."

I'm not really bothered that it appeared on the NYT. I'm sure they will fix it. Stuff happens. It worries me however that a "geek" like me can be nearly tricked by this thing tje first time it appears. Imagine the millions who fall for this crap.

Thanks for the message OP, and the subsequent replies. Thinking the NYT was invulnerable to this crap, my biggest concern was that it was somehow embedded on my system. By merely going from the NYT to MeFi, I had my answer in 15 minutes! And I wasn't even looking for it...
posted by private_idaho at 10:02 AM on September 13, 2009


The New York Times is aware of the problem.

Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software. We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser. Questions and comments can be sent to adtraffic@nytimes.com.
posted by av123 at 10:41 AM on September 13, 2009


I've had the same experience on Boing Boing this week. I wrote Mark F. about it, but no response yet. Could be connected to the same advertiser.
posted by yellowcandy at 11:08 AM on September 13, 2009


Yeah, this seems to be a problem on a number of sites right now. I've encountered it on the NY Times, some blogs, and other random pages while browsing.
posted by Aanidaani at 12:34 PM on September 13, 2009


It happened to me, too. I'm fairly certain I closed everything up without anything being downloaded (certainly, Firefox's download manager didn't appear). How can I, on a Mac, doublecheck to make sure nothing was downloaded to my computer without my knowledge?
posted by ocherdraco at 12:52 PM on September 13, 2009


Thanks av123 for copying in the text. I'm not clicking on that nytimes link until I hear that this is fixed :)

NYT Digital is a HUGE operation. This should have been fixed 30 minutes after detection, or if they want to claim it's not their fault, then at least a clear explanation of what's going on. 24 hours and counting ...
posted by intermod at 2:30 PM on September 13, 2009


NYT Digital is a HUGE operation. This should have been fixed 30 minutes after detection

Does their adserving department work on weekends? Maybe they do, but I'd be surprised. And I want to buy them a round of drinks after this kerfuffle.

Full disclosure: I've worked in adserving for a few years. It can be phenomenally stressful. I'm lucky to have never had to deal with a suspicious ad network throwing malware at me, but I have had to deal with calls at 4 am about how so-and-so's roadblock is not live, and it's not our implementation but the other guys' that's at fault so there's nothing we can really do but wait for them to fix it, but the client is still going to have our heads once they hear about this.

If the malware's being loaded from an ad tag, it's possible that the tag's set up to rotate a totally-fine ad 99% of the time, and the hundredth time the creative looks identical, but -- boom -- malware. (I couldn't tell you for sure that this is how it's set up, but it is possible.) Generally, when a website tests ad tags, they're checking that the creative meets specs, doesn't prevent the page from loading, clicks through properly, etc. Malware is a very rare occurrence and I'm not sure many publishers have the time and methods to catch it. I mean, imagine reloading every single ad tag you receive one hundred times. Now imagine that you have five hundred of these tags and they all need to be live by tomorrow morning.

Not only that, advertisers can switch the ads in those tags at any time without any action needed on the publishing site's part. This greatly reduces the workload for both advertiser and publisher, but it's not common practice for advertisers to notify publishers for every creative swap they do, so one morning you wake up and there's an out-of-spec ad on your site where there was an OK one yesterday. I'm willing to bet that whoever's responsible for the malware scheduled the swap for this weekend because they knew no one would be around to catch it right away.

And, I'm not sure if the NY Times has this particular problem since they generally seem to be doing well with the ads, but a lot of advertising budgets have been scaled back, so there's often a scramble to sell remnant inventory, which may mean you have to give in and allow floating ads, or the ads where Obama wants moms to go back to school, or you entertain offers from unfamiliar ad networks.

So I really feel for these guys. Twitter and everywhere are exploding with OMG NYTIMES SUX, for something they probably couldn't have caught in advance.
posted by Metroid Baby at 3:29 PM on September 13, 2009




Article says "the Times believes it has eliminated these ads", so I guess it's safe to go back into the water.
posted by intermod at 4:45 AM on September 14, 2009


story posted to SlashDot last night

Still no specifics as to which ad network let this through, but there is one scary comment that someone saw this on CNN.com yesterday. If NYTimes isn't telling us, hopefully they're at least telling their colleagues at the ther major digital properties so that they can disconnect from the same ad network.
posted by intermod at 5:02 AM on September 14, 2009


Learning From the NY Times Attack Ad -- "The NYTimes.com site warned Sunday that it had inadvertently displayed an 'unauthorized advertisement' over the weekend that tried to use fake malware warnings to trick viewers into installing scareware."
posted by ericb at 3:05 PM on September 14, 2009


Wired article
posted by lalochezia at 3:54 PM on September 14, 2009




Someone fully analyzed what it did and posted here. Several URLs on that page which would be good to add to block lists!
posted by Chocolate Pickle at 9:57 PM on September 14, 2009


From the Times' explanation provided by Obscure Reference above:

Because The Times thought the campaign came straight from Vonage, which has advertised on the site before, it allowed the advertiser to use an outside vendor that it had not vetted to actually deliver the ads, Ms. McNulty said. That allowed the switch to take place. "In the future, we will not allow any advertiser to use unfamiliar third-party vendors," she said.

And the troy.yort.com analysis above has some awesome technical sleuthing. Which they had figured out by Saturday night. It took NYT until early Monday morning to do the same.

Here's what they should have done, from the same NYT article linked above:

The malicious ads and software can damage a Web site’s reputation and make its visitors nervous. The Register, a British technology news site, was hit in 2004. “We took down all of our ads for several days, even when we were told the problem had been fixed,” said Drew Cullen, an editor for the Web site. "We wanted to make absolutely certain that everything was fine, so that our readers would have faith in us."

But that's a lot of ad revenue to lose.
posted by intermod at 5:30 AM on September 16, 2009


« Older Swedish terms for genitalia "neutral"?   |   Taking my documents from sleepy to snazzy Newer »
This thread is closed to new comments.