Boing Boing was hacked

It’s not our malware. We don’t know anything more about it than anyone else does. It wasn’t hosted here, we can’t “collect” it for analysis. Any statements we made as to how it operates would be speculation.

This is one of the reasons I love using a password manager with browser plugin. If it isn’t the right site, the password manager doesn’t fill the credentials, and I think “hmm, that’s odd. Why’s my login not working”, giving me a chance to notice something’s off. It’s saved me at least once I can think of and I’m usually pretty careful about not logging into things I don’t type into the address bar myself. It’s especially valuable against the 'look alike" unicode characters they’re starting to use for the malicious domain names.

I was using a iPhone and was on BB all weekend without seeing any malware popups…do they typically only target Android and other platforms with weaker security (ducks for cover) than apple or did i get lucky?

A very wise consideration, which is probably much more helpful than the protection most malware scanner can offer, provided you’re using a browser which still supports proper adblocking (like Brave or Firefox) and not Chrome or Safari.

It felt perfectly normal for BB these days. I was only surprised my ad-blocker didn’t catch it. My only thought was to be annoyed at BB when I saw it.

It was BB’s ever-increasing ad insanity that finally got me to install an ad blocker after many years without one. I had put up with auto-loading, auto-playing videos in BB posts that caused the article text to bounce up and down unreadably, I put up with the bottom-of-the-page ads that covered navigation links. It was the ads on top of all images (including other ads) that finally broke me. Ironically, I had initially assumed those were due to BB being hacked, as they were so outrageous.

Given how many people here thought it was an ad issue (myself included), it would be real nice if BB had an alternative way of throwing some cash their way. I support a few creators on Patreon, and some sites (Nexus Mods comes to mind) have a ‘donate once to make ads go away forever’ option. I’d love to support BB financially, but modern internet advertising is toxic (to your mind AND your PC/phone) so I use an adblocker for everything.

My organization formerly recommended Sophos for macOS, and they have a free product that will do the basics.

As I understand it, there is no anti-virus software for iPhones, in the traditional sense, since that would require escaping the application sandbox to scan the filesystem, which therefore would require a jailbreak level exploit. If you are concerned, I believe the advice is to do a factory reset and restore from backup (this can help with other issues, like slowness or applications crashing or not launching).

So the hacker was clever enough to get admin access to the blog, and all they did was install a janky plugin. Seems like a missed opportunity.

They were probably bulk scanning and plopping down a standard malware plugin. We are real strict about blocking the admin interfaces of our WordPress instances at work, since if you don’t the bad actors sit there and try username/password combinations until one works. There’s tools available that you just point at a site and sit back until it gets a valid login.

I saw the “Google Play Protect” update thing… And didn’t tap on it. BUT: I thought it was an ad and tried to get rid of it, it said something like “this ad is displayed by Google” and “did you find the experience intrusive” or something like it. And I, being stupid, tapped on “the ad covered the content of the site”. Ran AVG Antivirus and Kaspersky, they didn’t find anything. Should I reset my phone?

What seanc0x0 said. A lot of WordPress attacks are automatic attacks to spread malware, including to create and spread botnets. WordPress is so ubiquitous, as are it’s plug-ins, that there are lots of exploits attacked by bots. It’s one of the disadvantages of using WordpPress, especially self-hosted instances.

You know, I experienced this to one degree or another but had already forgotten it happened. I just got redirected a couple of times and ended up just doing something else I think.

This exactly

It took me a little bit before I realized it was something odd but I still thought it was just boing boing caving to yet even shittier advertisers in chasing a buck. I thought it was another advertisers paying for intrusive ad behavior and it made me even angrier at this site

I hope this isn’t an indication that a BB staff member was personally hacked. That could be a lot harder to unravel, and a lot more damaging for the staff member.

If present trends continue, by the end of 2021 every person on Earth will be entitled to free credit monitoring until shortly before the Heat Death of the universe.

Several people here have recommended Brave browser to me and while it is slightly cumbersome it has massively sped up my browsing and got rid of all the crap on this site fairly well.

I highly recommended it. I can’t even visit boing-boing with any other browser at this point because the ads are so intrusive.

I basically only view this site from my phone and I have never figured out what kind of anti malware anything works on Android phones. Can someone recommend a real answer to that, if one exists?

For those of us that got the pop up but did not click on it, do we really still have the possibility of being infected?

Eh, there’s still decent Flash content out there to be seen. And it’s generally very unobtrusive now.

Maybe the article you’re looking at actually has Flash content in it and not a Youtube video?

Presumably there could be some very old embed code involved somehow, but I think Youtube would have shut down anything using old APIs.

Ten years ago: Hacker breaks in, puts dicksuit on the main page.

Now: Hacker decides to put phishing malware up instead.

Evil me would have silently added a js bitcoin miner.

FWIW in the past 12 months or so I have seen (and fixed) several hacked Wordpress sites, in attacks that were not targeted at a specific site, but at a specific vulnerability: the default Wordpress configuration reveals user names, and does not prevent brute force login attacks, so each account with a “common” password can be hacked very quickly.

I am not saying this happened in your case, but I leave this here as a word of warning to other people who run a Wordpress site and are unaware of this.

Is this why the comment pages are filled with ads inserted between comments (as seen in my zoomed out screenshot below)? Today is the first time I’m seeing this,on the computer I would have used on Friday during the problem period, which is making me wonder. Various scans are all coming back clean.

(Edited to add [in case it’s helpful]: This isn’t happening when I’m logged in to BBS, only when I’m not logged in)

bbs_ads404×922 61.8 KB