Sunday, May 15, 2011

India’s DNA e-newspaper website infected with fake antivirus campaign

DNA (Daily News and Analysis) is an Indian daily English language newspaper. According to Wikipedia, DNA ranks 8th among the top ten English dailies in India. Recently, the Zscaler solution was blocking access to this site, as it contained malicious content. Here is the homepage of this website:
The ‘Today’s E-newspaper’ link (circled above) is an online version of the printed periodical. We discovered that one of the pages from this e-newspaper site was infected with malicious script. Here is the screenshot of that page:
The malicious script tag had been inserted in plain text as can be seen in this screenshot of page
source:

The malicious script tag directs the victim’s browser to ‘hxxp://vcvsta.com/ur.php’. This page then redirects the user to another malicious site (‘hxxp://www4.to-gysave.byinter.net,), which will again redirect victim to random sites hosting fake antivirus campaigns. Here is the screenshot displaying a fake malware alert:


As usual, page employs social engineering tactics, which display fake warning messages and threat names to scare the victim into downloading a fake AV product. The VirusTotal result for the downloaded binary currently shows only 10/43 AV engines detecting this particular attack. Here we have yet another example of a legitimate and popular websites being infected so that the attacker(s) can impact a significant number of victims.

Umesh

1 comment:

Niks said...

Great work Umesh