Select Page

The New York Times has posted a notice over the weekend that its web site carried a malicious ad for a rogue security product that originated with an advertiser.

“The culprit masqueraded as a national advertiser and provided seemingly legitimate product advertising for a week. Over the weekend, the ad being served up was switched so that an intrusive message, claiming to be a virus warning from the reader’s computer, appeared,” they said. (NYT notice here.)

That attack-through-advertiser approach was pioneered in 2001 by a hacker who went by the handle Fluffi Bunni.

In 2001, Fluffi used an open SSH vulnerability to deface the web pages of security company SecurityFocus by breaching an advertising serving system run by ad-company Thruport Technologies.

He used a similar hack to deface the web site of security group and of SANS Institute, a well-respected company that provides security training and information. (Story from the former NewsBytes here.)

In 2002, Wired news quoted an unnamed source reporting that Fluffi Bunni was contemplating a massive Distributed Denial of Service attack on Akami’s 13 domain-name root servers. (Story here.)

Although Fluffi Bunni was thought to be a hacking group, ultimately he turned out to be one person who was arrested in the UK.

OK, it was a different age. It was funny then. I guess you had to have been there.

Thanks to Eric Howes.

Tom Kelchner