The Latest in IT Security

Popular Media Sites Involved in Mass Compromise

09
May
2013

Today, Zscaler identified yet another mass website compromise, this one impacting a number of popular media sites, including two radio stations in Washington, DC – Federal News Radio and WTOP. It’s not clear if all of the sites impacted were leveraging a common backend platform that may have led to the compromise.


Sadly, mass compromises are now the norm. Attacks targeting end users generally involve some form of social engineering whereby the potential victim must be convinced to visit a site, download a file, etc. Attackers will therefore write a script designed to comb the web looking for popular sites exposing a common flaw and when identified, inject a single line of malicious code into the sites. In that way, any user visiting the otherwise legitimate (but now infected) site, can become a victim. This particular threat also displays another common trait – being dynamic in nature and only delivering content if the victim browser exhibits certain attributes. In this case, the injected content is only displayed when the browser’s User Agent string reveals that Internet Explorer (IE) is being used.  When IE is used to view one of the infected pages, the following code is sent to the browser:


Ofuscated JavaScript injected into a webpage at WTOP.com
Deobfuscated version of the injected code

This obfuscated JavaScript decodes to reveal an iFrame pointing to sites hosted at Dynamic DNS (DynDNS) hosting providers. Thus far, we have identified two DynDNS providers (myftp.biz and hopto.org) involved and the actual URLs (which are numerous), conform to the following pattern:


   \/[a-z0-9]{14,15}\/[a-z0-9]{32}\/
Example URL 


Once redirected to the malicious URLs, Fake AntiVirus scams and the ZeroAccess Trojan are delivered to the victim. MD5s for malware delivered include the following:






2e1997982c4dde48a995df5061f1438f
2b150bd07bb74426d676d8cb47451fd0
62547040ac637b63c2d531e17438597a
8858050e303cca778e5083ed4e442763
eee9941e4d01b65061f4fb621b2d708d
b43c1d19d35e3606a7b6227cef561986






Thus far, Zscaler has identified the following compromised sites:


 


Media Sites


    

  • WTOP Radio (Washington, DC) - wtop.com
    • 

  • Federal News Radio (Washington, DC) - federalnewsradio.com
    • 

  • The Christian Post - christianpost.com
    • 

  • Real Clear Science - realclearscience.com
    • 

  • Real Clear Policy - realclearpolicy.com
    • 


Others

    

  • scubaboard.com
    • 

  • mrsec.com
    • 

  • menupix.com
    • 

  • xaxor.com
    • 

  • gvovideo.com
    • 





At the time of posting, these compromised sites were still offering up malicious content.





Related posts:
    

  1. Mass Compromise of Sites at gogvo.com – SEO Spam 
    2. 

  2. Mass infection of WordPress sites ( counter-wordpress.com ) 
    3. 

  3. Mass Compromise includes ComputerWorld MX 
    4. 

  4. Massive Compromise of WordPress-based Sites but ‘Everything will be Fine’ 
    5. 

  5. osCommerce Mass Compromise Leads to Information Theft 
    6. 










Tags:  








Written by
Zscaler Research





0 Comments









































Leave a reply


































 































 


 










 


Categories





 

FRIDAY, APRIL 26, 2024



 





WHITE PAPERS








Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators: 

Many governments embrace mobile network operator (MNO) networks as ...








ARA at Scale: How to Choose a Solution That Grows With Your Needs: 

Application release automation (ARA) tools enable best practices in...








The Multi-Model Database: 

Part of the “new normal” where data and cloud applications are ...











Featured
 


Archives
 



Latest Comments