Popular blog site Boing Boing announced Monday it has been hacked by an unknown party who had injected malicious code into its site. According to the group blog, the code was injected into its WordPress themes and was designed to redirect readers to a malware page.
“Around 11:30 EST on January 10th, an unknown party logged into Boing Boing’s CMS using the credentials of a member of the Boing Boing team,” Boing Boing wrote in a post.
“They proceeded to install a widget into our theme that allowed them to redirect users to a malware page hosted at a third party.”
Pointing out to the nature of programmatic advertising, Boing Boing said it had mistaken the code as a “malicious adscript” that redirects users into an unsecured page. With this in mind, the site responded by reporting the activity through its Ad Partner’s “bad ad” reporting page.
While the malicious code was later revealed to be not an ad, Boing Boing claimed that the action enabled their ad partner to identify the issue and inform them about the specifics of the attack.
“Once this was confirmed, we removed the offending code immediately from our servers and our CDN partners,” the blog explained.
In an article from Graham Cluely, desktop users who have visited the site were reported to have been redirected into a malicious Adobe Flash update download page. Meanwhile, those that had visited the site using their Android devices were “presented with a pop-up purporting to come from Google, claiming that their phone was unsafe.”
In response to the incident, Boing Boing advised those who had visited the site over the weekend to run local anti-virus and malware scanners. To prevent the same attack from happening, the popular blog site also ensured it had taken various security measures and made its employees had their login credentials changed.
“From a systems security perspective, this is an excellent cautionary tale of the importance of individual user security,” Boing Boing added.