An Important Site Announcement

During the past few weeks many of you may have noticed the site wasn't functioning at optimal health. A few weeks ago, we started getting reports that many of you were seeing malware, trojan horses and other virus warnings when you visited the site. Our initial efforts to resolve this were unsuccessful and since that time we've been working diligently behind the scenes to diagnose exactly what was happening to the site and how we could fix it.

In an nutshell, our site was infected with sophisticated and malicious malware that we had great difficulty eradicating despite constant and numerous efforts.

We realize that many of you had your own computers infected as a result and for this we apologize.

Now, after weeks of working on the problem, and having taken the site offline for the past 24 hours, we believe the site is now clean and it's safe to begin browsing blogTO again.

For those of you interested in learning more about the issue, I have put together this FAQ that will hopefully answer most of your questions.

I'M STILL SEEING MALWARE WARNINGS. WHY?

If you're still seeing malware warnings please notify me immediately at tim [at] blogto [dotcom]. We believe the malware has been removed, however, so it's possible that If you're still seeing malware warnings it could be from a cached page or from Google (as the site was temporarily flagged as a distributor of malware). Last night we asked Google to review the site again and it appears they agree with us that the site is now clean. Google have removed the warnings, so hopefully these messages will disappear soon if you're still seeing them.

HOW DO I KNOW IF MY COMPUTER WAS INFECTED?

If your computer has been infected, we recommend installing anti-virus software or updating the virus definitions of your existing one and running a full scan. We also suggest running an anti-spyware on top of that to double check your computer is clean from any traces of the malware. We also strongly recommend switching to a securer, better browser like Firefox or Safari, and keeping your Adobe Acrobat Reader software up to date.

IF I VISITED THE SITE OVER THE PAST FEW WEEKS, DOES THAT MEAN I'M INFECTED?

Not necessarily. For those of you who have good anti-virus software installed it's likely that your computer prevented the infection without you even knowing about it. Also, you're much more likely to have been infected if you use a PC/Windows rather than a Mac.

WHAT DID THE MALWARE LOOK LIKE?

Most of the weird things you might have seen on the site were related to the malware. This might have included the home page being turned into an ad for Viagra, the ShareThis button or Google Search bar appearing at the top of the page, and pop-ups prompting you to download a suspicious PDF.

WHAT SPECIFICALLY WAS THE SOURCE OF THE MALWARE?

To the best of our knowledge, the site was hacked with the r57shell backdoor which is made in PHP and created by Russian hackers. The hacker (and we have no idea if they were Russian or from somewhere else) used it to infect 2 main javascript files on the site with malicious javascript code commonly named JSRedirector that loaded malware that exploits a vulnerability in Internet Explorer and Adobe Acrobat Reader which is recognized by anti-virus software under different names like JS:Pdfka-WD or Trojan.Script.Iframer

WHAT DID YOU DO TO TRY TO RESOLVE THE ISSUE?

In the first few days of the attack, many of you sent us screenshots that helped us pinpoint the infected files. After reviewing the files we were able to locate the malicious code and remove it. Unfortunately, however, the code kept getting inserted. We even created a script to remove the code as soon as it appeared, but this didn't prove to be a viable solution.

Since we don't have a web security expert on staff, we sought the help of an external web security expert who provided addition tools for us to diagnose the issue. What we realized is that despite our best efforts we still had a vulnerability in our server that was allowing the malicious code to be continuously re-inserted. We undertook a number of fixes and upgrades in order to eliminate the vulnerability, but these proved to be unsuccessful.

We also consulted constantly with our web hosting provider, but they were unable to provide any meaningful solutions.

HOW DID YOU FINALLY RESOLVE THE ISSUE?

We believe the issue is now resolved after applying additional fixes and, most importantly, moving to a new server. Moving to a new server caused the site to be inaccessible for the last 24 hours.

WHY DIDN'T YOU SHUT DOWN THE SITE WHEN YOU FIRST FOUND OUT IT WAS INFECTED?

Hindsight is 20/20 as they say and if we knew then what we know now we certainly would have handled things differently. The fact is that on numerous occasions we thought we had resolved the issue and it was only through repeated emails from some of you that we realized how sophisticated the breach was and that the latest effort was not successful. Every day we thought that we had a solution and therefore didn't think shutting down the site was necessary as we were being very proactive in eradicating the malware. Obviously, at a certain point we had to acknowledge that things had gotten out of hand and that it was no longer appropriate to keep the site live, which is why we took the site down yesterday.

WHY DIDN'T YOU COMMUNICATE WHAT WAS GOING ON?

We definitely could have handled things better. Many of you emailed us and sent us messages via Twitter which we responded to directly. In hindsight, we should have posted something on the site.

WHAT NEXT?

We're very grateful that you care enough about the site to read this FAQ and hope to earn your trust that blogTO will offer a safe, malware-free web browsing experience going forward. We, of course, will continue to monitor the situation and will work at resolving further issues should they arise.


Join the conversation Load comments

Latest in Announcements

Toronto gets a new old-school diner for brunch & dinner

Toronto gets another location for fast Asian eats

Where to satisfy cravings for Indonesian food in Toronto

Toronto spin studio does disco balls and dark rooms

Toronto gets a late night club in the heart of Chinatown

New Toronto bakery cafe serves up healthy Israeli eats

Toronto gets a new destination for crepes

Cozy cafe and bar open early morning until last call