Cyber Incident Victim: Boing Boing
Date:
Jan 2020
Location:
United States of America
Summary
The popular blog Boing Boing experienced a compromise where attackers injected malicious code into its WordPress theme, redirecting desktop visitors to fraudulent Adobe Flash update pages and Android users to deceptive security pop-ups mimicking Google warnings. The site's operators removed the infection, reset credentials, and analyzed access logs within their 72-hour retention window to identify the breach source. They implemented CMS modifications to establish a separate audit log for future administrative action tracking, enhancing breach response capabilities. The incident leveraged common social engineering tactics to distribute malware under the guise of legitimate software updates or device security alerts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 10, 2020, attackers compromised the Boing Boing website by injecting malicious code into its WordPress theme infrastructure. The intrusion resulted in visitors being redirected to fraudulent pages based on their device type. Desktop users encountered a spoofed Adobe Flash update prompt designed to trick them into downloading malware, while Android users received fabricated Google security alerts falsely claiming their devices were compromised. These tactics exploited established social engineering techniques historically used to distribute malware under the guise of legitimate software updates or system warnings. The attack persisted until Boing Boing's security team identified and neutralized the threat.
Boing Boing initiated remediation by purging the malicious code from their WordPress theme and resetting all user login credentials and access tokens. Forensic analysis relied on 72 hours of retained access logs, which proved sufficient to trace the compromise to a specific user account exhibiting suspicious behavior. The organization confirmed no logs existed beyond this 72-hour window due to prior data retention policies. Post-incident enhancements included modifying their content management system to implement a dedicated administrative audit log separate from access logs, enabling improved tracking of user actions for future investigations. The company publicly advised potentially affected visitors to scan their devices with updated antivirus software but did not disclose evidence of successful malware infections stemming from the incident.