The Websense® ThreatSeeker® Network has detected that the official website of GoPro (at gopro.com), the popular brand for "wearable" cameras, has been compromised and injected with malicious code. We have contacted GoPro and let them know about the compromise but to date, we have not heard back from them.
Websense customers are protected from this threat with ACE our Advanced Classification Engine.
The injected code is resident in multiple locations on the main page. This injection is part of mass injection that is known to us and that is doing its rounds over the web at the moment (see image 2 marked in red). Our ThreatSeeker network also spotted that hosts of localized versions of GoPro.com are injected with malicious code as well; for example the local website of GoPro France at fr.gopro.com. Other local versions include:
de.gopro.com
es.gopro.com
fr.gopro.com
it.gopro.com
jp.gopro.com
pt.gopro.com
Image 1: The official Website of gopro.com – the main page
Image 2: The injected code marked with red on the official website of GoPro (at gopro.com)
Once a user visits gopro.com the injected code (marked in red) gets translated to an Iframe that leads the user automatically and without any interaction to a malicious redirector at ad.fourtytwo.proadvertise.net (see image 3 for full URL). The malicious redirector at ad.fourtytwo.proadvertise.net further redirects the user to an exploit Website loaded with the Blackhole exploit kit located at ad.banchoath.com. On the exploit website several exploits are sent to the user's browser and on successful exploitation the user's machine is infected with malware, at the time of the post that malware has ~9% antivirus detection rate, according to virustotal.com.
Image 3: The injected code translates to an Iframe that takes without user interaction the visitor to an exploit Website
Image 4: The exploit Website is loaded with the infamous Blackhole Exploit Kit
We shall update the blog with additional information as it comes to light.
Leave a reply
