Everyone has seen a fake virus infection Web page from time to time. They pop up on your screen looking like a perfectly normal Windows page except they tell you that your PC is infected by a virus and you need to click here to either fix the problem or download a program that will clean out the bug for you. The only problem is it's a lie. It's actually an attack designed to get you to download malware.
Usually these fake Windows pages-they're actually Web pages-pop up when you're visiting a dodgy Web site. But, even the New York Times isn't immune to attacks like this. Over this last weekend, September 12-13, I was startled to see an apparent Windows page show up that read, "Warning!!! Your system requires immediate anti-viruses scan. Personal Antivirus can perform fast and free virus malicious software scan of your computer."
Now, I wouldn't fall for this, but I can see how many people would. At a glance, it looks real and the last thing most people expect to see coming from the New York Times is malware. But, that's exactly what it was.
The paper confessed to the problem stating that "NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software. We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser."
That's good advice. When you're on a Windows PC, you shouldn't click on any part of the fake message. No, not even cancel. Any click might start a malware download.
In the event, this particular attacker was even cruder. If you clicked on it, you wouldn't get malware, you'd get an endless series of scareware messages until you either rid yourself of the program or 'buy' the software by entering your credit-card number. After that, you might as well call up your credit-card number and get a new card. Your credit card information has just been stolen.
The Times has dealt with the problem on their end, so you won't see this particular nuisance from their site again. But, the iFrame injection attack behind that fake page is an extremely common kind of XSS (cross site scripting) attack.
Since the problem starts at either a compromised or, in the case of the NYT tricked, Web site, there's not a lot you can do to prevent the attack on your side. Some Web browsers, like the long outdated Internet Explorer 6, are more vulnerable to XSS attacks than others, but any Web browser can be tricked by a well-crafted XSS attack.
If you want to avoid presenting your users with XSS-compromised pages, check out the XSS Prevention Cheat Sheet. It's a must read for Web designers.
If you're just like most of us though and a regular user, the best advice I can give you is to never trust an anti-virus pop up window unless it's from your anti-virus program. Don't have one? Get one. Now. There are several excellent free A/V programs.
With or without one, if you're running Windows, and you see one of these windows pop up, just close your browser and re-start. It may be a pain, but if you do anything else you're putting your PC, and quite possibly your money and credit at risk.