NYTimes explains rogue advert – it was human error
As we reported yesterday NYTimes.com suffered a security breach over the weekend and visitors started seeing a rogue advertisement telling them a virus was present on their system and directing them to an antivirus solution. There was no virus and the solution was bogus with anyone following the instructions given to them probably ending up with an infected machine.
So how did this happen? The NYTimes has now explained that the advert did not come through an advertising network, but was accepted directly by the NYTimes.com advertising operations team. The site only gets around half its ads from ad networks and handles the other half itself. In this case the rogue advert came through as a Vonage ad, with Vonage being a company the site has dealt with before.
The advertisement was submitted as if it came directly from Vonage and appeared as a legitimate Vonage ad unit, but once in the system it was change to deliver a rogue payload. That change was possible because the site trusted it was a Vonage advert and allowed the company to use a vendor unknown to the site to deliver the ads.
It took the NYTimes a long time to stop it appearing because at first it thought the advertisement must have come from a network. That time was further extended because it was unknown which advert had gone rogue.
The NYTimes has now vowed to never allow third-party vendors to be used again on the site unless they are a known quantity.
Read more at The New York Times
Matthew’s Opinion
It sounds like this was a catalog of errors on the part of the site. No checks were carried out to ensure the people/person contacting them as Vonage actually were from the company. The advert was then accepted, but allowed to be supplied by a third-party that was unchecked and allowing it to be changed at any time. I’m surprised they let that happen at all to be honest just in case a problem occurs even if it isn’t malicious.
All the faults seem to be errors of judgement and no system breaches occurred. The people behind this rogue ad must have been surprised at just how easy it was to get on the site, but it must also have required an investment of money. Would it just have been added to the Vonage account, or was a payment received? If so, where did it come from?
I’ve seen a few comments, including on my item about this yesterday, that this rogue advert has been seen on other websites over the past couple of weeks. I’d be interested to know if it is the same technique used in all cases. Did the perpetrators just make contact and pretend to be a company websites trust enough to accept advertising from?
– By Matthew Humphries | geek
- Loulith Galenzoga
Related Posts
No related posts.
