In follow up to the last posting regarding the logic flaws found in the Sears.com website, the NY Times was also recently tricked into serving Scareware through its online ad system. This is certainly not the first time something like this has been done, and probably won’t be the last…but in my opinion the interesting aspect to this whole story is that the individuals posting the ad followed proper ad channels – this was not your typical site hijacking where content was replaced.
According to the reports, the individuals placed an ad through the ad network systems for what appeared to be a legitimate ad for Vonage. The ad content was even reviewed and approved by the NY Times ad operations team. The flaw in the process was that they allowed an outside vendor to host the ad content through the use of iFrames. Since the ad appeared to be from a prior NY Times customer, Vonage, the outside vendor was not vetted any further.
Then the individuals waited for the weekend when the NY Times IT staff would be less likely to notice the activity, and the legitimate ad content on the hosted site was changed to push out Scareware. The Scareware was designed to try to scare people into believing their computers were infected and entice them to purchase fake anti-virus software. Given that most consumers are probably not that tech savvy, and they believed it was coming from a trusted site, many probably opted into buying the software. I have yet to see an analysis of the malware itself, but it would be the perfect vehicle to inject keystroke monitoring software to capture passwords or bank account information as well.
It just goes to show that it truly is the wild, wild, Internet – but more importantly security professionals in all industries have more and more attack vectors to watch out for and any short cuts they may take could have devastating effects.