Nowhere is safe: Ads hit New York Times, BBC, MSN and more
Posted on 03/30/2016 at 12:00 AM by John Lande
Over the last two weeks, websites including the New York Times, BBC, The Hill, Newsweek, AOL, and MSN were the platforms for malicious advertising (“malvertising”). According to online data security analysts at CSO, these major websites were injected with malvertising that allowed hackers to install malicious software likely designed to hold an organization’s data for ransom.
So-called ransomware attacks are on the rise. It was recently reported that a California hospital had its systems hijacked and was forced to pay a ransom in order to retrieve all of its data. Hackers allegedly demanded over $3 million for the return of the hospital’s data. However, it was later reported that the amount the hospital paid was closer to $17,000. Nevertheless, the hospital was in a tight spot because it apparently failed to sufficiently back up its data, so it was completely beholden to the hackers.
The breaches at major websites like MSN and the New York Times, with their millions of daily page views, are particularly dangerous. Malvertising is insidious because it does not necessarily require users to click on an ad in order to download malicious software. These “drive-by” attacks can occur in the background of a computer’s normal operations, so the user may not be aware that their computer is being compromised.
One of the most significant steps an organization can take to guard against these kinds of attacks is making sure their software is up to date. The recent attack at MSN and the New York Times is reported to have taken advantage of security flaws in Adobe Flash and Microsoft Silverlight.
This blog has previously discussed the importance of patching organization software to avoid known security flaws. This is one easy step organizations can take to minimize the risk of a ransom attack or a data breach.
This recent malvertising campaign also illustrates the risks that employees may cause when they access websites on organization computers. This blog recently reviewed a case where a bank was the victim of a cyber-attack involving over $485,000, and employee conduct almost prevented the bank from having insurance coverage.
Organizations need to be aware of the serious threat posed by all internet websites. Even mainstream websites can be platforms for the distribution of malicious software, so organizations need to make sure they are taking steps to minimize the risk of attack. Legal liability may depend on these actions.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
Categories: Cybersecurity Law, John Lande, Employment & Labor Law, Banking Law
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.
