The Latest in IT Security

Dissecting NBC’s Late Night with Jimmy Fallon Web Site Compromise


Oops, they did it again!

The official Web site (hxxp:// of NBC’s Late Night With Jimmy Fallon is currently compromised/hacked and is automatically serving multiple Java exploits to its visitors through a tiny iFrame element embedded on the front page. According to Google’s Safe Browsing Diagnostic page, the same malicious iFrame domain that affected the Web site, is also known to have affected 15 more domains.

Let’s dissect the campaign, expose the complete domains domains portfolio used in the campaign, reproduce the malicious payload, and establish a direct connection between this campaign, and a series of phishing campaigns that appear to have been launched by the same cybercriminal/gang of cybercriminals.

Sample client-side exploitation chain: hxxp:// –; -> hxxp://

Although the currently embedded iFrame domain is offline, we know that on 2013-03-06 17:02:35 it used to respond to We’ve got several malicious domains currently parked at the same IP and responing, allowing us to obtain the malicious payload used in the campaign affecting NBC’s Web site. Upon further examination, the obtained malicious PDF used in the campaign, also attempts to connect to the initial iFrame domain (, proving that the domains are operated by the same cybercriminal/gang of cybercriminals.

Sample exploitation chain for a currently active malicious domain responding to hxxp:// -> hxxp:// -> hxxp:// -> hxxp://

Sample client-side exploits served: CVE-2013-0431; CVE-2012-1723; CVE-2010-0188

Sample detection rates for the reproduced malicious payload:
test.pdf – MD5: 013ed8ef6d92cfe337d9d82767f778da – detected by 10 out of 46 antivirus scanners as PDF:Exploit.PDF-JS.VU
jurylamp.jar – MD5: dcba86395938737b058299b8e22b6d65 – detected by 7 out of 46 antivirus scanners as Exploit:Java/CVE-2013-0431
ptlyable.jar – MD5: 2446aa6594fc7935ca13b130d4f67442 – detected by 6 out of 46 antivirus scanners as HEUR:Exploit.Java.CVE-2012-1723.gen

test.pdf drops MD5: 51311FDECCD8B6BC5059BE33E0046A27 and MD5: 72B670F4582BC73C0D05FF506B51B8EB it then attempts to obtain the malicious payload from (

Responding to are also the following malicious domains:

Malicious domain names reconnaissance: – Email: [email protected] – Email: [email protected] – Email: [email protected] – Email: [email protected]

More domains share the same exploitation directory structure (agencept.php?vialjack=) such as for instance:

The same email ([email protected]) is also known to have registered the following phishing domains in the past:

Although the cybercriminal/gang of cybercriminals behind this campaign applied basic OPSEC practices to it, the fact that the C&C/malicious payload acquisition strategy is largely centralized, (thankfully) indicates a critical flaw in their mode of thinking.

This post has been reproduced from Dancho Danchev’s blog. Follow him on Twitter.

Leave a reply


MONDAY, JULY 15, 2024

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments