Exploit Sat on LA Times Website for 6 Weeks

The Los Angeles Times has scrubbed its Web site of malicious code that served browser exploits and malware to potentially hundreds of thousands of readers over the past six weeks.

On Feb. 7, KrebsOnSecurity heard from two different readers that a subdomain of the LA Times’ news site (offersanddeals.latimes.com) was silently redirecting visitors to a third-party Web site retrofitted with the Blackhole exploit kit. I promptly asked my followers on Twitter if they had seen any indications that the site was compromised, and in short order heard from Jindrich Kubec, director of threat intelligence at Czech security firm Avast. 

latimesKubec checked Avast’s telemetry with its user base, and discovered that the very same LA Times subdomain was indeed redirecting visitors to a Blackhole exploit kit, and that the data showed this had been going on since at least December 23, 2012.

Contacted via email, LA Times spokeswoman Hillary Manning initially said a small number of users trying to access a subdomain of the site were instead served a malicious script warning on Feb. 2 and 3. But Manning said this was the result of a glitch in Google’s display ad exchange, not a malware attack on the company’s site.

“The LA Times, along with dozens of other Google ad exchange users including the New York Times, the Guardian, CNET, Huffington Post and ZDNet, were, to varying degrees, blocked by malicious script warnings,” Manning wrote in an email to KrebsOnSecurity. “The impacted sections of our site were quickly cleared and there was never any danger to users.”

Unfortunately, Avast and others continued to detect exploits coming from the news site. Manning subsequently acknowledged that the Google display ad issue was a separate and distinct incident, and that the publication’s tech team was working to address the problem.

Malicious code served by offersanddeals.latimes.com

Malicious code served by offersanddeals.latimes.com

It’s not clear how many readers may have been impacted by the attack, which appears to have been limited to the Offers and Deals page of the latimes.com Web site. Site metrics firm Alexa.com says this portion of the newspaper’s site receives about .12 percent of the site’s overall traffic, which according to the publication is about 18 million unique visitors per month. Assuming the site was compromised from Dec. 23, 2012 through the second week in February 2013, some 324,000 LA Times readers were likely exposed to the attack.

Security experts warn that the LA Times incident is unfortunately all-too-common. A report released this week by security and antivirus firm Sophos found that 80 percent of the Web sites where the company detects malicious content are innocent, legitimate sites that have been hacked.

According to Sophos, once attackers have figured out a way to inject content into a Web site, the rest of the intrusion follows a familiar script: The attackers add malicious content (usually snippets of JavaScript) that generate links to the pages on their Blackhole site. When unsuspecting users visit the legitimate site, their browsers also automatically pull down the exploit kit code from the Blackhole server.

“Once your browser sucks in the exploit kit content from the Blackhole server, the attack begins,” the company wrote in its latest threat report (PDF).  “The exploit code, usually JavaScript, first works out and records how your browser arrived at the Blackhole server. This identifies the affiliates who generate the traffic in the first place, so they can be paid just like affiliates in the legitimate economy. Then the exploit code fingerprints, or profiles, your browser to identify what operating system you are using, which browser version you have, and whether you have plugins installed for Flash, PDF files, Java applets and more.”

Unlucky visitors who are browsing the hacked page with outdated plugins will have their PCs infected with malware of the attacker’s choosing.

The LA Times attack highlights the daily security challenges facing Web site owners and Internet users. Keeping your browser and operating system up-to-date with the latest patches is a great start, but it’s not enough to keep you safe on the Web today.

I recommend that users remove unneeded and buggy plug-ins like Java, and use tools to block the automatic execution of Javascript, which should neuter most of these exploit kit attacks. Check out my primer “Tools for a Safer PC” for more details on how to tackle this. Also, Web site owners need to do their part to keep their sites secure. Ars Technica recently published a readable and useful primer on the major pitfalls that lead to hacked Web sites.

Update, 1:17 p.m. ET: In response to this story, The Los Angeles Times just released the following statement: “On February 6th the Los Angeles Times was made aware that malware was possibly being served by OffersandDeals.latimes.com. We quickly determined the problem was contained within the Offers & Deals sub-domain, which is maintained by a third party. Our forensics team undertook what is now an ongoing investigation and is working closely with the vendor to collect evidence surrounding the event.  To ensure safety, the Offers & Deals platform has been rebuilt and further secured. The sub-domain generates only advertising content and does not contain any customer information. As a trusted source of news and information, The Times takes matters of internet security very seriously and are pleased to report that there is no malware currently detectable on Offers & Deals.”

Оставьте комментарий