LA Times website redirected users to exploit kit for over six weeks

A sub-domain of Los Angeles Times’ website has been redirecting visitors to compromised websites hosting the latest version of the Blackhole exploit kit for over six weeks (since Dec. 23, 2012), says Brian Krebs, and estimates that some 325,000 visitors were exposed to the attack.

Alerted to the fact that something was wrong with by some of its readers, he investigated the matter with the help of Avast’s director of threat intelligence Jindrich Kubec, who checked it and confirmed that the tips were, indeed, true and correct.

When first contacted, LA Times spokeswoman Hillary Manning stated that the problem was tied to the recent hack of the NetSeer advertising network site, which resulted in Google blocking popular third-party sites – among them the New York Times, the Washington Post, ZDNet and the LA Times – that were serving ads provided by the ad network. She claimed that the problem had been solved and that there were no additional ones.

Unfortunately for the publication, that was not true, as Avast and other security companies continued to detect exploits coming from the sub-domain. In a statement released a few hours later, the LA Times conceded that the security companies’ readings were accurate, and that they resolved the situation.

“On February 6th the Los Angeles Times was made aware that malware was possibly being served by We quickly determined the problem was contained within the Offers & Deals sub-domain, which is maintained by a third party,” they stated.

“Our forensics team undertook what is now an ongoing investigation and is working closely with the vendor to collect evidence surrounding the event. To ensure safety, the Offers & Deals platform has been rebuilt and further secured. The sub-domain generates only advertising content and does not contain any customer information. As a trusted source of news and information, The Times takes matters of internet security very seriously and are pleased to report that there is no malware currently detectable on Offers & Deals.”

More about

Don't miss