The New York Times Accidentally Serves Malicious Ads

The New York Times was unwittingly serving-up a rogue advertisement last week that would install malware disguised as antivirus software when it appeared in the rotation.

The malware seems to be one of the many variants of the infamous Antivirus2009, which goes by many names, but does the same thing overall: It locks-down your computer and pretends to be an antivirus application that you need to pay $30-$760 for it to remove the mess of nonexistant malware that it claims is on your computer. (When, in fact, the only malware is the faux antivirus software itself, which does all sorts of terrible things.) Paying the fee to the authors of the ransomware does not earn you any relief from the software either, it simply opens you up to more extortion.

The last I heard, The New York Times staff were looking into finding the rogue ad, which contained some Flash scripting to redirect to the malware site. (This sort of problem is in no way unique to The New York Times. Every once in awhile a rogue ad slips through the approval process and ends up in a major banner network.) This brings up an interesting topic of discussion…

Online publishers need to move away from running Flash-based banner ads. There, I said it. By dropping ads built with Flash, you make it a lot harder, in not impossible, for malware to be spread through said advertisements. As valuable as Flash is for online video and games, it’s the root of all evil when it comes to ads. You can’t spread malware through a JPG, GIF or PNG image, and you can’t make ads that talk, play video, or fly across the screen either. Whenever someone complains about an obnoxious ad, chances are it’s Flash.

Update: It turns out that the ad was sold not through a third-party network, but through The New York Times’ internal sales department. The malware distributor posed as a legitimate company (Vonage) and then delivered the malicious ad code after paying. You can read the full details on

Further Reading