Monday, May 6, 2013

Popular Media Sites Involved in Mass Compromise

Update (May 9): OSIRT had the opportunity to review the infected web app code for one of the compromised sites and has a great write-up to explain what was happening from a server-side vantage point.

Today, Zscaler identified yet another mass website compromise, this one impacting a number of popular media sites, including two radio stations in Washington, DC - Federal News Radio and WTOP. It's not clear if all of the sites impacted were leveraging a common backend platform that may have led to the compromise.

Sadly, mass compromises are now the norm. Attacks targeting end users generally involve some form of social engineering whereby the potential victim must be convinced to visit a site, download a file, etc. Attackers will therefore write a script designed to comb the web looking for popular sites exposing a common flaw and when identified, inject a single line of malicious code into the sites. In that way, any user visiting the otherwise legitimate (but now infected) site, can become a victim. This particular threat also displays another common trait - being dynamic in nature and only delivering content if the victim browser exhibits certain attributes. In this case, the injected content is only displayed when the browser's User Agent string reveals that Internet Explorer (IE) is being used.  When IE is used to view one of the infected pages, the following code is sent to the browser:


Ofuscated JavaScript injected into a webpage at WTOP.com
Deobfuscated version of the injected code
This obfuscated JavaScript decodes to reveal an iFrame pointing to sites hosted at Dynamic DNS (DynDNS) hosting providers. Thus far, we have identified two DynDNS providers (myftp.biz and hopto.org) involved and the actual URLs (which are numerous), conform to the following pattern:

   \/[a-z0-9]{14,15}\/[a-z0-9]{32}\/
Example URL

Once redirected to the malicious URLs, Fake AntiVirus scams and the ZeroAccess Trojan are delivered to the victim. MD5s for malware delivered include the following:

2e1997982c4dde48a995df5061f1438f
2b150bd07bb74426d676d8cb47451fd0
62547040ac637b63c2d531e17438597a
8858050e303cca778e5083ed4e442763
eee9941e4d01b65061f4fb621b2d708d
b43c1d19d35e3606a7b6227cef561986

Thus far, Zscaler has identified the following compromised sites:
 
Media Sites
  • WTOP Radio (Washington, DC) - wtop.com
  • Federal News Radio (Washington, DC) - federalnewsradio.com
  • The Christian Post - christianpost.com
  • Real Clear Science - realclearscience.com
  • Real Clear Policy - realclearpolicy.com
Others
  • scubaboard.com
  • mrsec.com
  • menupix.com
  • xaxor.com
  • gvovideo.com
At the time of posting, these compromised sites were still offering up malicious content.

3 comments:

Anonymous said...

scubaboard.com has been cleaned.

Anonymous said...

http://www.saatchi-gallery.co.uk/ is compromised. Has been for several weeks now.

Anonymous said...

In the process of gaining my phone and emails back from the attackers, I saw what some of them were doing. Gaining the contacts list through gmail, to then then make hidden accounts on your profile, make youtube accts in your user name, to run porn sites. Its a numbers game. By the time youtube shuts them down, they've got thousands of other contacts up and running. There is a business Google Cloud Device Manager app, it was used on me, still is. It takes over every aspect of your files. Every password is changed at the source, yet it will recognize your input/password. They attach apps to your operating system that logs and reports. Every url I typed in was redirected through their system, due to this app.
When I dug too deep into their files, they would wipe my phone, disconnect me from the internet, put me in a unending loop on a url, shut me out of my gmail account. You name it, they did it. I felt like I was in a bad made for tv movie. Every site that I have been to is infected. They downloaded all the apps I have on my phone to mirror what I was capable of doing on the internet, due to the redirection through their system. I had no idea this was possible! I have become educated, in a very short period of time, into the world of hacking. Wish I could put my new skills on a resume!
Bottomline, when I can afford to get a new phone, I will not link my phone to an email account, calender, contacts, nor do any kind of monetary transactions online. They use your user name calender online, to make appointments for their online "video chat" sessions (google plus-sex sessions)
The first account I took back, when I deleted it, on their system in youtube, there were over 76,000 subscribers on my user name! Talk about feeling violated.
Someone in Texas, USA hacked me, but someone in Russia (I think) hacked them. When I looked in the russians tracking app, I didn't see my phone being tracked. Who is ultimately behind all this? The sex account, money making hackers? The government? God only knows. I do know Google is not innocent on all this. As I'm sure the other social media conglomerates have their hand in the cookie jar as well.
Thank you for publishing the article, and exposing a little bit of whats really going on in the background of peoples operating systems. Good luck to you all!