New York Times Web Site Compromised; How to Stay Safe
Over the weekend, numerous visitors to the New York Times Web site were greeted with pop-ups that warned about a virus and promoted antivirus software that was itself Windows-based malware – an attack technique known as “scareware.” The Times has released a statement saying that the pop-ups likely came from an unauthorized advertisement. In a more detailed Gadgetwise blog post, Riva Richmond of the Times explains more of the situation and offers suggestions for what to do if you see such a pop-up.
In short, if you’re using a Mac, don’t worry much about this particular one (see the screenshot on the Random Mutters blog), since it attempts to get you to download Windows malware, which won’t have any effect on a Mac. We don’t recommend that Mac users run antivirus software under normal circumstances (“Should Mac Users Run Antivirus Software?,” 2008-03-18).
Of course, if you’re using Windows, make sure you’re running antivirus software with all updates applied, and if at all possible, use a current Web browser, since older browsers have fewer protective features and may suffer from security vulnerabilities.
That said, these attacks often propagate too quickly for antivirus companies to keep up, so even a fully updated antivirus program may not be able to detect such malware and protect you from it.
Even though Macs are safe from the actual Windows malware that was the payload of this particular attack, there are Web-based attacks (including this one, from what I can tell from reader reports) that essentially take over your Web browser once activated. It’s important in such situations to quit the Web browser using Mac OS X’s native mechanisms (Control-click the Web browser’s Dock icon and choose Quit) in order to circumvent any parts of the user interface that the attacker may have compromised (buttons within the Web browser itself may not do what you expect).
If you’re using Firefox or another browser that automatically restores your session after relaunching, I recommend force-quitting the browser (Control-Option-click its Dock icon and choose Force Quit). If you’re using Firefox, force-quitting puts Firefox into a recovery mode in which it asks if you want to restore your session, thus letting you avoid reloading the offending page.
In Windows, right-clicking the Web browser in the Task Bar and closing it from there should be a safe way to quit; you can also force quit by pressing Control-Alt-Delete and ending the task from the Task Manager.
If you’re interested, Troy Davis has posted an analysis of how this particular attack works on his Inputs & Outputs blog. In essence, the attackers inserted an IFRAME into a third-party advertisement, and that IFRAME contained a series of redirects and a fake page that displays the pop-up with the link to the actual malware.
The important lesson to take away is that this attack relies largely on the user taking specific actions, and it’s entirely possible that a future attack could target Mac users with Mac OS X-specific malware. So be cautious, and if you’re presented with an extremely unusual pop-up in your Web browser, don’t click its buttons, and quit immediately.