On Friday, the extremely popular Boing Boing blog was hacked by an unknown party who planted malicious code into the site’s WordPress theme.
Around 11:30 EST on January 10th, An unknown party logged into Boing Boing’s CMS using the credentials of a member of the Boing Boing team.
They proceeded to install a widget into our theme that allowed them to redirect users to a malware page hosted at a third party.
Users visiting the site from desktop computers reported that they were redirected to what pretended to be a download page for an Adobe Flash update.
Meanwhile, Android surfers were presented with a pop-up purporting to come from Google, claiming that their phone was unsafe.
These aren’t new tricks. Cybercriminals have long duped internet users into installing code by pretending to be a genuine update to Adobe Flash, or a warning from an operating system vendor that action has to be taken to secure a device.
There are obviously lots of questions that may need to be asked. For starters:
- How did the attacker manage to get their hands on a Boing Boing staff member’s password?
- Was the Boing Boing worker phished or had their password guessed?
- Were they making the mistake of reusing the same password?
- How did the attacker manage to avoid the authentication systems Boing Boing uses on its website? (Boing Boing claims to have TOTP 2FA integrated into its CMS login system)
- Does Boing Boing do IP look-ups on users logging in to see if they are connecting from an ‘unexpected’ location?
- Was Boing Boing running vulnerable out-of-date plugins on the website?
Boing Boing says that it cleaned-up the infection, and changed login credentials for its users. Oddly they say that they only keep logs of its staff’s account activity for 72 hours, which seems a little risky to me:
“The BB team then proceeded to change passwords, access tokens, confirm access rights, and perform log analysis of the behavior of the user. As stated in our privacy policy, we only keep 72 hours worth of logs, but this was sufficient to track down the malicious activity and user account in question and react accordingly. We also took steps to modify our CMS to ensure a separate audit log (outside our 72-hour access logs) will be maintained in the future to help us track down administrative actions within our publishing software in the event of future breaches, so we are able to take action and determine the scope of a breach more thoroughly in the future.”
These wrinkles aside, it’s good to see Boing Boing warning its users promptly of the issue and demonstrating transparency.
If you have visited Boing Boing’s website in the last few days and fear your computer may have been compromised you may be wise to run an up-to-date anti-virus program.
I bet they never release the name of the admin who's credentials were used.