Cyber Attackers Pose as New York Times

Chris CrumBusiness

Share this Post

Symantec's MessageLabs tells WebProNews there is a new targeted attack using emails pretending to be from the New York Times. MessageLabs Intelligence tracked the attack yesterday, which used emails pretending to come from the NYT's "Times Reader" software, hitting six different domains. One domain was a public sector domain, one was a law firm, and three were to chemical companies, and one was an online gambling company in the UK.

"The email attacks originated from Greece from IP address (," a MessageLabs representative tells us. "MessageLabs Intelligence can't see this being used as a botnet."

Attackers Disguise themselves as New York Times - Times Reader

"When executed the "Times Reader Plugin.exe" uses iexplore.exe to send encrypted data over port 443 to," she continues. "It resolves to an address in Denmark, which looks like a computer on a home network. It doesn't display anything when you run the exe, so the victim wouldn't know they have been infected. The only indication is an iexplore.exe process running when there is no IE browser session open. It drops 2 files in the C:\windows\system32 directory as rundl32.exe and also rundl32. This dropped virus is a keylogger with rundl32 file containing what it is you are writing. After a while, the virus shuts down and deletes itself."

While the attack appears to be very targeted, it may prove to be a good idea to watch for such emails, particularly if you are a user of Times Reader.


Chris Crum
Chris Crum has been a part of the WebProNews team and the iEntry Network of B2B Publications since 2003. Follow Chris on Twitter, on StumbleUpon, on Pinterest and/or on Google: +Chris Crum.