New York Times pushes Fake AV malvertisement.

Earlier today, the New York Times issued a warning over Twitter and also on the front page of the web site. The newspaper advised visitors that they had had reports from “some readers” relating to a malicious pop-up window while browsing the site.

NYTimes Twitter posting

NYTimes Twitter posting


In the warning, the influential newspaper stated their belief that the pop-ups were the result of an “unauthorised advertisement”. From some online discussion it looks as though the problem may have been ongoing for upwards of 24 hours.


The pop-up window itself, (screen shot captured by quick-witted reader of All Things Digital) was the all-too-familiar sight of rogue antivirus software informing the NYTimes reader that their computer is infected with random, spurious, non-existent malware and promising “Full System Cleanup” for a fee of course.

Image courtesy of All Things Digital

Image courtesy of All Things Digital


The malicious software being punted in this case, is similar to what we were seeing in much of the black-hat SEO around the 9/11 attacks, as reported previously on the TrendLabs malware blog.


In this particular example, the malicious site and sofware is being hosted by a German provider, Hetzner AG, which has a colourful track record when it comes to spewing dodgy content, having hosted literally hundreds of malicious URLS.

Here’s a really simple tip to remember. If you *ever* see a browser pop-up window that arrives uninvited, telling you your PC is infected, ignore it, it is a scam. Close the window, empty your browser cache and to be on the safe side, run a real scanner like HouseCall. To be more fully protected in future, make sure you install an antimalware program that will also block malicious URLs, rather than simply looking for malicious files.


UPDATE: Troy Davis was fortunate enough to be able to examine the attack in real-time and provides an excellent code level analysis here.


UPDATE: The fake AV program being pushed in this attack was called Personal Antivirus and is very much a classic piece of scareware.



On install the application will start “scanning” your machine for problems. On a completely fresh installation of Windows Vista, it supposedly detected 38 threats.

4-PAV scan results on clean sys


Of course none of these imaginary threats can be removed until you pay to activate you copy of this useless software, not only giving away your cash but also of course all your credit card and personal details at the same time, double-whammy for the cybercrooks.

3-PAV cost


If you choose not to activate the software immediately you will then be served at random intervals with fake messages informing you of yet more detected problems, when you hit the “Block” button, you are again prompted to pay for the software, and so it continues…

7-PAV fake warnings


For cleanup, use HouseCall or any other reputable security software, a helpful list of what is real (as opposed to FakeAV) can be found here.


If the software you are being punted isn’t on the list, then do not install it.

17 thoughts on “New York Times pushes Fake AV malvertisement.

  1. Pingback: Malvertising, who’s responsible? | Simply Security

  2. Pingback: AmirShaw | Rogue ad leads to fake anti-Virus

  3. Pingback: Malvertisements in Lead to FAKEAV – Security Threat Research News

  4. Pingback: Rogue AV on the rise - /gg FTW!

  5. Pingback: Noch ein Grund für Paid Content: Hacker knacken Ad-Server der “New York Times” | Basic Thinking Blog

  6. Pingback: New York Times pushes Fake AV malvertisement. AV hongkong 香港

  7. Pingback: Malvertisements in Lead to FAKEAV - All About Virus

  8. Marlene

    Unbelievable that people believe these ads. They used to pop up all the time on our computers. Everyone here knew they were malware. Why would any company who uses computers in their business click to download these?

  9. Pingback: Anti-Virus & Anti-Malware website. » Malvertisements in Lead to FAKEAV

  10. JMan

    This is ALL OVER THE PLACE – MySpace has been infected with this forever (8+ months) – quite a number of MySpace advertisers either have been subverted, or they are ‘fakers’ posing as valid advertisers.

    Several of us have tried to assist MySpace in eradicating it but, due to MySpace’s very dynamic advertising, it’s difficult to catch all instances – plus the fact that there are various ‘morphs’ of the original “fake scanner virus” (the one shown in 1st screen shot).

    As long ago as 8 months, I saw this exact fake scan on several large-name sites – all but Facebook. – I saw it on Yahoo, eBay, NetworkSolutions and MySpace – those are the ones I specifically recall and tried to trace via IE cache, but it’s dicey at times.

    And a couple of them are able to download spyware / malware, even to protected systems, because the perpetrators keep changing the code to evade the ‘real’ scanners and anti-malware vendors.

    Again, I say PROSECUTE the perpetrators to the fullest extent! Just like “Patient Zero” – in determining the VERY FIRST patient of an oubreak, we need a “Victim Zero” initiative, to find the first happenings of such things like conficker and these fake scanner programs. Ultimately, for the most part, they eventually can be traced back to their originators, either via ‘money trail’ where someone purchased ADs and then infected those ads, or via diligent tracking back to the source via other hard-core investigative techniques.

  11. Pingback: Malvertisements in Lead to FAKEAV - All About Virus

  12. Pingback: Malvertisements in Lead to FAKEAV | Malware Blog | Trend Micro

  13. Pingback: Tweets that mention New York Times pushes Fake AV malvertisement. » CounterMeasures --

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.