New York Times promotion piece used as bait in a global ‘spoofing’ attack

NY Times promo

A nefarious cyber-attacker, taking advantage of The New York Times’ vaunted reputation for veracity, has used an online promotional piece pitching “TimesReader 2.0” as bait in a targeted “spoofing” attack, according to MessageLabs Intelligence, a part of Symantec’s hosted services unit.

“MessageLabs Intelligence tracked a new targeted attack yesterday [February 24, 2010] using emails pretending to be from the New York Times sending out its ‘Times Reader’ software hitting six different domains,” said an e-mail announcement from a public relations firm representing MessageLabs Intelligence.

According to Paul Wood, a senior analyst with MessageLabs Intelligence, if a recipient of the bogus e-mail message clicks on the attachment, a virus will be downloaded that will automatically begin capturing data from the victim’s key logger, and transmitting that data to a computer sitting in Denmark. No tell-tale signs appear on the victim’s computer screen, so he or she will not know they have been infected with the computer virus, said Wood.

If, for example, the victim was to visit his online banking Web site, and entered his user name and password, his individual keystrokes would be sent automatically to the computer in Denmark.

The e-mail attacks originated from an IP address in Greece, says MessageLabs. Wood said it was unclear if the computer in Greece had, in fact, been “captured” by another computer, perhaps in a different country. “We might never know if they are being controlled by a different computer, which is controlled by the bad guys,” he said.

The spoofing attacks appear to have hit six different domains – one was a public sector domain, one was a law firm, three were chemical companies and one was an online gambling company in the UK, said MessageLabs Intelligence. All six domains are current customers of Symantec. Wood says about 25 individual computers have been infected thus far in those six different organizations.

Apparently, the virus that is downloaded to a victim’s computer automatically extinguishes itself. “The malware times out in about an hour and deletes itself,” said Wood.

Wood says MessageLabs Intelligence has not been in touch with the operators of the computers in either Greece or Denmark. “Typically, we get in touch with the ISPs [Internet Service Providers], so they can contact their own customers,” he added.

At The New York Times, Martin Nisenholz, senior vice president for digital operations, said he was not yet aware of this alleged spoofing attack. GSN is awaiting further comment from the newspaper, based in New York City.