On Friday, the extremely popular Boing Boing blog was hacked by an unknown party who planted malicious code into the site’s WordPress theme.
Around 11:30 EST on January 10th, An unknown party logged into Boing Boing’s CMS using the credentials of a member of the Boing Boing team.
They proceeded to install a widget into our theme that allowed them to redirect users to a malware page hosted at a third party.
Users visiting the site from desktop computers reported that they were redirected to what pretended to be a download page for an Adobe Flash update.
Meanwhile, Android surfers were presented with a pop-up purporting to come from Google, claiming that their phone was unsafe.
These aren’t new tricks. Cybercriminals have long duped internet users into installing code by pretending to be a genuine update to Adobe Flash, or a warning from an operating system vendor that action has to be taken to secure a device.
There are obviously lots of questions that may need to be asked. For starters:
- How did the attacker manage to get their hands on a Boing Boing staff member’s password?
- Was the Boing Boing worker phished or had their password guessed?
- Were they making the mistake of reusing the same password?
- How did the attacker manage to avoid the authentication systems Boing Boing uses on its website? (Boing Boing claims to have TOTP 2FA integrated into its CMS login system)
- Does Boing Boing do IP look-ups on users logging in to see if they are connecting from an ‘unexpected’ location?
- Was Boing Boing running vulnerable out-of-date plugins on the website?
Boing Boing says that it cleaned-up the infection, and changed login credentials for its users. Oddly they say that they only keep logs of its staff’s account activity for 72 hours, which seems a little risky to me:
These wrinkles aside, it’s good to see Boing Boing warning its users promptly of the issue and demonstrating transparency.
If you have visited Boing Boing’s website in the last few days and fear your computer may have been compromised you may be wise to run an up-to-date anti-virus program.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
One comment on “Boing Boing bounces back after hack attempted to infect users with fake Adobe Flash update”
I bet they never release the name of the admin who's credentials were used.