The Latest in IT Security

Herald Media News Portal Compromised, Used to Serve Exploits


Barracuda Labs – Beginning in early May 2012 and persisting over a period of ten days, Herald Media’s primary news portal ( was compromised and used to serve drive-by download exploits. Based in Seoul, South Korea, Herald Media’s publications include The Korea Herald and The Business Herald.

Starting on May 9, a javascript resource used throughout the website was modified to iframe into malicious content. As an example, visiting the front page of The Business Herald ( produces a resource request for a file named publishing.js, which during the period of compromise (May 9 – May 20) included content shown in the following screenshot.

Per the above screenshot, malicious javascript at the end of publishing.js iframed into one of several URLs served by, such as:


These URLs gathered plugin information and loaded one of several Java exploits, such as an exploit that targets CVE-2012-0507. If successful, the exploits install password-stealing malware on the compromised system. At the time of this writing, AhnLab, which has 65% of the South Korean security software market, does not detect the Java exploits or Windows executable as malicious.

The Herald Media website is an Alexa top 5,000 domain; in South Korea, it is one of the 100 most-viewed sites. Due to the longevity of the compromise and popularity of the domain, Barracuda conservatively estimates that over 740,000 users were served malicious content. Based on the exploits employed, at least 115,000 systems were successfully infected.

Additional information about recurring maliciousness in popular domains will be available in Barracuda’s upcoming May 2012 report on Alexa top-ranked websites.

by Paul Royal, Research Consultant

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments