The Los Angeles Times has scrubbed its Web site of malicious code that served browser exploits and malware to potentially hundreds of thousands of readers over the past six weeks.
On 7 February, KrebsOnSecurity heard from two different readers that a subdomain of the LA Times’ news site (offersanddeals.latimes.com) was silently redirecting visitors to a third-party Web site retrofitted with the Blackhole exploit kit. I promptly asked my followers on Twitter if they had seen any indications that the site was compromised, and in short order heard from Jindrich Kubec, director of threat intelligence at Czech security firm Avast.
Kubec checked Avast’s telemetry with its user base, and discovered that the very same LA Times subdomain was indeed redirecting visitors to a Blackhole exploit kit, and that the data showed this had been going on since at least 23 December 2012.
Contacted via email, LA Times spokeswoman Hillary Manning initially said a small number of users trying to access a subdomain of the site were instead served a malicious script warning on 2 and 3 February. But Manning said this was the result of a glitch in Google’s display ad exchange, not a malware attack on the company’s site — via redwolf.newsvine.com