They did say:
If you read Boing Boing this past weekend, please run your local anti-virus and malware scanners.
I would add that you might want to consider installing an ad-blocker.
They did say:
If you read Boing Boing this past weekend, please run your local anti-virus and malware scanners.
I would add that you might want to consider installing an ad-blocker.
Thirded.
Also maybe a good opportunity never to provide authentication credentials such as username, password, ect. to any page or site to which one is redirected from another, and be a very wary bear of links from emails even if it walks and talks like the real deal. This is only going to become more important in the future as phishers, URL highjackers, typosquatters, ect. become more sophisticated in their tools and tactics.
Always think about how you got to a page asking for sensitive information.
If you think you might have been diverted down a blind alley, nuke your browser information from orbit (AKA use the clear all history and data), close it and run your antivirus scanner.
This can be mitigated by using a 2FA management service like Duo so the phone is simply another 2FA device, instead of the 2FA device (with SMS and voice options disabled of course to avoid SIM hijacking attacks).
Hardware keys like Yubikey help as well.
OK, I did see a screen trying to fake an Adobe update and wondered WTF was up.
Let’s not get carried away, there’s no call for such outlandish claims!
I’d say that’s also one of the problems with BoingBoing’s increasingly user hostile ads on the front page, that the actually intended ad experience is so close to being malicious the CMS hack looked like a variation on the “normal” bad advertising user experience or bad ad injection, making the hack initially harder to diagnose and solve.
I’m super pro 2FA, and pro FIDO tokens. But I would add that 2FA only keeps hackers from coming in through the front door. It does nothing to stop other exploits that bypass normal user authentication.
Thank goodness for ad blockers and per-domain Javascript blocking. I didn’t notice a thing.
I’ll be first in line when BoingBoing offers a Patreon or similar, but to me no site is worth disabling ad block.
Except, thanks, but no thanks for the utter lack of details about which malware, which users were vulnerable (e.g., did it target specific platforms, browsers, etc.), and where to find information about detecting and clearing it.
And an excellent reason to add identifying code to the adverts which facilitate adblocking (gawds, but I would love to block each and all posts from the boingboing store on the /blog page).
Fair point. It could be that the IT team doesn’t know how the hack happened. It’s possible to detect a hack and mitigate it (at least partially) without knowing what the initial exploit was. But if they do know any details I do think they should release them.
I’d also add that I hope any BB users who were infected will post about what, if anything, their AV scanners turned up. But, I think that people who were fooled with the half technical, half social engineering attack may not know they have been infected, and the hackers had at least two day head start since this is the first notice that BB has published on the main page.
I don’t even trust it when my AV program pops up on my mac to say it needs permission to update. I always ignore the pop up (even clicking “cancel” could actually be clicking “ok”). Instead I launch the original application and select check for updates.
This is still an unsolved problem on my mac and on android - I have no easy mechanism to tell “authentic” pop ups from potentially forged ones.
I’m using TorBrowser. Do I need to worry? Does TorBrowser allow random widgets to infect it with malware? I’m assuming that it doesn’t, but better safe than sorry…
It was redirecting to the Adobe Flash installer download page, or perhaps something made to look exactly like it, I didn’t look at the URL bar too closely because there was no way in hell I was installing the Adobe Flash plugin.
I did have Chrome’s “Ask first” Flash setting enabled, and when I blocked it entirely, the redirect stopped. I assumed it was hijacking something that let it negotiate which version of Flash was supported, Chrome’s or Adobe’s, without me having to consent to actually run Flash.
Of course, this was the desktop browser, other people are showing that it targeted mobile browsers that typically don’t/can’t have ad block plugins running. I use uBlock Origin, which should have been a red flag that this was no ordinary ad-delivered malware attempt.
Yeah, when that happened, I just assumed that BB had gotten even more intrusive with its ads and this was deliberate. (At this point, that’s pretty much the only possible escalation of advertising left to BB, so it made sense.)
I got those as well and just closed past them and figured it was just more advertising bullshit.
I use uMatrix and never saw the hack. uMatrix allows for easy, totally granular control of permissions by type and domain. Only boingboing dot net is completely whitelisted in my set up. I’d like to know what domain the malicious script was served from. I don’t have even wp dot com white listed for scripting and I’m wondering if that is why I didn’t see it?
Same here, the Adobe Flash update page. But every single link pointed back to the same BB post. Weird, so I didn’t click a darn thing. That post seemed to be the only one that it affected, from where I was sitting over the weekend.
Your next 3 visits to the Boing Boing Store are free!*
*not your items, just your visits
I don’t think I went to the main page at all this weekend…