Security

Guys, you're killing us! LA Times homicide site hacked to mine crypto-coins on netizens' PCs

And they say there's no money to be made in newspapers


A Los Angeles Times' website has been silently mining crypto-coins using visitors' web browsers and PCs for several days – after hackers snuck mining code onto its webpages.

The newspaper's IT staffers left at least one of the publication's Amazon Web Services S3 cloud storage buckets wide open to anyone on the internet to freely change, update, and tamper.

Miscreants seized upon this security blunder to slip CoinHive's Monero-mining JavaScript code into the LA Times' interactive county homicide map at homicide.latimes.com.

People visiting this site will inadvertently start crafting alt-coins for whoever injected the code, unless they have antivirus or ad-blockers installed that prevent such scripts from loading. This particular coin-crafting script has remained hidden on the website since February 9.

For now it's probably a good idea to avoid that website and other LA Times online properties until the bucket is protected – software more malicious than a miner could be uploaded and injected, such as password sniffers and drive-by malware installers.

The scumbags who implanted the hidden crypto-miner were not the only ones to find the newspaper's world-writable S3 bucket. Others left a warning note, with the filename BugDisclosure.txt, in the vulnerable cloud storage urging technicians to secure the account:

Hello, This is a friendly warning that your Amazon AWS S3 bucket settings are wrong. Anyone can write to this bucket. Please fix this before a bad guy finds it.

The bucket is used to host graphics and other material for the daily paper's website. It appears an administrator has not only left read permissions open on the silo, but also enabled global write permissions, meaning anyone so inclined would be able waltz right in and inject code and other files into the paper's websites.

Naturally, someone soon did just that – the malicious JavaScript code can be found perched atop some innocent code within the murder map.

Off script ... The injected evil code found on an LA Times website

We have asked the LA Times for comment. A spokesperson was not immediately available. Infosec researcher Troy Mursch, who has been tracking these kinds of crypto-jacking attacks, also reached out earlier today to the Times, and said he had no response. We also reported the mining activity to CoinHive.

This is not the first case of a biz being exposed by an incorrectly configured S3 storage bin. Security researchers have created a cottage industry out of combing the internet for AWS buckets that have been improperly configured, resulting in the accidental exposure of millions of records and pieces of personal information.

Only this week were experts warning that it's not just world readable silos people need to be worried about – world writeable ones allow miscreants to inject malware into websites, encrypt documents and hold them to ransom, and so on.

Hundreds of warning notes, alerting IT admins to insecure world-writable buckets, have recently appeared in S3 silos, courtesy of gray-hat hackers.

Needless to say, if you administer one or more S3 storage buckets, now would be a good time to make sure your access controls (both read and write) are properly configured to keep unauthorized netizens out. Amazon has tools available to prevent this kind of cockup. S3 silos are, by default, not accessible to the public internet. ®

Updated to add at 00:56 UTC

The CoinHive code has been stripped from the LA Times' website.

Send us news
5 Comments

AWS must fork out $30.5M after losing P2P network patent scrap

No one really wins when a troll, sorry, assertion entity scores a victory

FBI claims corrupt LA cops helped crypto CEO's cash grab

Feds tell thrilling tale of crypto crooks, Facebook scams, fast cars, guns, betrayal … and leg extensions?

Binance claims it helped to bust Chinese crypto scam app in India

Plus: SpaceX plans Vietnam investment; Yahoo! Japan content moderation secrets; LG offloads Chinese display factory; and more

Victims lose $70K to one single wallet-draining app on Google's Play Store

Attackers got 10K people to download 'trusted' web3 brand cheat before Mountain View intervened

Cloud giants point the finger at each other during regulator hearings

Those are some mighty powerful underdogs you've got there

AWS claims customers are packing bags and heading back on-prem

See? We do have competition, cloud giant tells regulator

US indicts two over socially engineered $230M+ crypto heist

Just one victim milked of nearly a quarter of a billion bucks

Citrix adds remote Mac support, but some customers are grumpy

License changes and product bundles aren't going down well, says Gartner's DaaS magical quadrant

Intel frees its Foundry biz – and that's just one of many major shake-ups today

Pauses European fabs, scores secret US gig, teams up with Amazon, re-orgs its innards, and more!

Prison just got rougher as band of heinously violent cybercrims sentenced to lengthy stints

Orchestrators of abductions, torture, crypto thefts, and more get their comeuppance

'Hyperscale customer' to take massive datacenter site near London

'Commercially sensitive' incognito buyer has a lot more support than last group that tried to build a bit barn near M25

Amazon to pour £8B into UK datacenters through to 2028

How kind. Now how about looking at the corporation tax bill...