Malicious code lived on the website of the Los Angeles Times for 6 weeks, clandestinely redirecting visitors to another site booby-trapped with the Blackhole exploit kit.
The problem first came to the attention of security blogger Brian Krebs, who on Feb. 7 followed up on tips from readers by reaching out to his Twitter followers.
Jindrich Kubec, director of threat intelligence at Czech security firm Avast, confirmed the problem in a tweet shortly thereafter and said the malicious code had been in place since Dec. 23.
L.A. Times spokeswoman Hillary Manning originally told Krebs the problem was caused not by the newspaper, but by a widespread bug in an ad network that had affected many media sites, including TechNewsDaily, earlier this month.
"The impacted sections of our site were quickly cleared, and there was never any danger to users," Manning told Krebs in an email.
That later proved to be incorrect. After the ad-network problem was ruled out, researchers at Avast who were monitoring the situation continued to see malicious code and browser redirects. Manning admitted to Krebs that the ad issue was a separate and unrelated problem.
The malicious code appeared only on the "Offers and Deals" section of the L.A. Times website, which serves up classified ads and is run by a third party.
Extrapolating from Alexa traffic figures, Krebs estimated that about 324,000 visitors might have been exposed to the Blackhole exploit kit, which is inserted into high-traffic websites without the knowledge of site administrators.
Exploit kits bombard visiting browsers with one exploit after another until something gets through, triggering a drive-by download that opens the floodgates to all sorts of malware — spam bots, keyloggers, banking Trojans, fake anti-virus software and ransomware, just to name a few possibilities.
Victims of drive-by downloads, which affect Windows, Mac and Linux machines alike, often don't know they've been hit.
Computer users can best protect themselves against such attacks by keeping their Web browsers and browser plug-ins up to date, disabling Java plug-ins and running constantly updated anti-virus software.
After Krebs posted his story Wednesday (Feb. 13), the L.A. Times released a press statement.
"On February 6th, the Los Angeles Times was made aware that malware was possibly being served by OffersandDeals.latimes.com," the news organization said. "Our forensics team undertook what is now an ongoing investigation and is working closely with the [third-party] vendor to collect evidence surrounding the event. To ensure safety, the Offers & Deals platform has been rebuilt and further secured."