New York Times, BBC and others inadvertently serve up dangerous ads

Major websites were hit by a "malvertising" attack that hijacked people's computers and demanded ransom.

Carrie Mihalcik Former Managing Editor / News
Carrie was a managing editor at CNET focused on breaking and trending news. She'd been reporting and editing for more than a decade, including at the National Journal and Current TV.
Expertise Breaking News | Technology Credentials
  • Carrie has lived on both coasts and can definitively say that Chesapeake Bay blue crabs are the best.
Carrie Mihalcik
2 min read

Malicious ads can infect your computer, even if you never click on them.

C.J. Burton/Corbis

The New York Times regularly reports on how dangerous the world is. Over the weekend, the Gray Lady became a dangerous place.

On Sunday and Monday, the Times, the BBC, AOL and a host of other major news and entertainment websites inadvertently ran malicious ads that attempted to hijack the computers of visitors and demand a ransom, according to security researchers Malwarebytes and Trend Micro.

The cyberattackers inserted ads that contained malicious software into legitimate online ad networks, the researchers said. The ad networks then distributed the compromised advertising, known as malvertising, to websites, which served them to visitors.

The software then locked visitors out of computer files and demanded a ransom for access.

The Times, the BBC and AOL didn't immediately respond to requests for comment.

Ransomware hacks scramble computer files with an unbreakable code and won't release them until a ransom is paid. Computers running Microsoft Windows software have been frequent targets of ransomware, and earlier this week researchers reported what appeared to be the first ransomware targeting Macs.

A handful of high-profile cases over the past month involved hospitals and critical computer files. Once computer files are seized, the FBI says, there's little to do other than pay up.

"Ransomware is not a new technique by any means for cybercriminals, but they are increasing their leverage and sophistication by shifting to high stake targets," Peter Tran, senior director of security company RSA, said in a statement. "Data is king and it's serious business to the ransomware cybercriminals"

The attack on the media sites was delivered through multiple ad networks, and it targeted security holes in out-of-date versions of Silverlight, Flash and other software, according to the researchers.

The ransomware didn't require visitors to the websites to interact with the ads, according to Malwarebytes Senior Security Researcher Jerome Segura, and it was aimed at visitors with outdated programs.

"People think you have to click on the ad for something bad to happen, but that's not the case," Segura said. "The malicious activity takes place in a few seconds."

New computing threats mean new businesses trying to help people avoid those threats. One, from Firefox project co-founder Brendan Eich, is the Brave browser. Its built-in ad technology blocks others' ads and behavior-tracking tools. It can replace website ads with its own in a way that's designed to protect privacy and share ad revenue with website publishers and the people using the browser.

Brave also confines ads it does show to computing compartments called sandboxes to make it harder for ads to carry out attacks, and it checks the ads themselves for software instructions associated with an attack.

"Surfing the Web should not turn into a fear of highway robbery," Eich said.

The attack lasted about 24 hours and was mostly cleared up by Monday evening as the ad networks responded.

Update, March 17 at 12:19 a.m. PT: Adds information on the Brave Web browser.