Major websites were hit by a “malvertising” attack that hijacked people’s computers and demanded ransom.
The New York Times regularly reports on how dangerous the world is. Over the weekend, the Gray Lady became a dangerous place.
On Sunday and Monday, the Times, the BBC, AOL and a host of other major news and entertainment websites inadvertently ran malicious ads that attempted to hijack the computers of visitors and demand a ransom, according to security researchers Malwarebytes and Trend Micro.
The cyberattackers inserted ads that contained malicious software into legitimate online ad networks, the researchers said. The ad networks then distributed the compromised advertising, known as malvertising, to websites, which served them to visitors.
The software then locked visitors out of computer files and demanded a ransom for access.
The Times, the BBC and AOL didn’t immediately respond to requests for comment.
Ransomware hacks scramble computer files with an unbreakable code and won’t release them until a ransom is paid. Computers running Microsoft Windows software have been frequent targets of ransomware, and earlier this week researchers reported what appeared to be the first ransomware targeting Macs.
“Ransomware is not a new technique by any means for cybercriminals, but they are increasing their leverage and sophistication by shifting to high stake targets,” Peter Tran, senior director of security company RSA, said in a statement. “Data is king and it’s serious business to the ransomware cybercriminals”
The attack on the media sites was delivered through multiple ad networks, and it targeted security holes in out-of-date versions of Silverlight, Flash and other software, according to the researchers.
The ransomware didn’t require visitors to the websites to interact with the ads, according to Malwarebytes Senior Security Researcher Jerome Segura, and it was aimed at visitors with outdated programs.
“People think you have to click on the ad for something bad to happen, but that’s not the case,” Segura said. “The malicious activity takes place in a few seconds.”
The attack lasted about 24 hours and was mostly cleared up by Monday evening as the ad networks responded.