On Wednesday, October 29th, Websense® ThreatSeeker® Intelligence Cloud’s discovered that the website of Popular Science had been compromised and served malicious code.
Our labs team found that the site, which delivers science and technology news to more than one million monthly readers, had been injected with a malicious code that redirected users to websites serving exploit code and which subsequently downloaded malicious files on each victim’s computer.
We immediately contacted the IT team at Popular Science with a notification regarding the compromise, but we have still yet to receive a response from the site.
Analysis of the compromise
The Popular Science website was injected with a malicious iFrame, which automatically redirected users to the RIG Exploit Kit, an increasingly popular tool utilised by cybercriminals.
RIG came on the scene around April 2014 and has been heavily used to distribute ransomware such as Cryptowall.
Featured Download: Social media access at work. Do your employees know the rules?
The exploit kit works by launching various exploits against the victim, attacks which – if successful – will result in malicious executables being dropped on the user’s system.
In most cases malicious injections redirect the user to a distribution system (TDS), which then further redirects to the exploit kit’s landing page. However, as is often the case with the RIG Exploit Kit, the injected code sent the victim directly to a landing page.
RIG’s landing page was heavily obfuscated to make analysis and detection more difficult. Before launching any exploit, the exploit kit used CVE-2013-7331 XMLDOM ActiveX control vulnerability to list antivirus (AV) software on the target system.
This technique has been used by a number of exploit kits recently, most notably the Nuclear and Angler exploit kits. If the user doesn’t have any of the checked AVs installed, then the exploit kit proceeds to evaluate the installed plug-ins and their versions, in particular Flash, Silverlight, and Java. If a vulnerable plug-in is found, the appropriate exploit is launched.
Websense telemetry indicates that this type of injection is becoming widespread across the globe, with multiple industries falling victim to this threat. However, as expected for this specific campaign, most of the victims come from the U.S., Canada and the UK, which aligns with what cybercriminals regard as “high quality” traffic.
The compromise of Popular Science serves as a stark warning to all online businesses of the serious threat posed to them by this type of attack. It also highlights the importance for businesses to be vigilant and fully aware of any subsequent attacks against their users and customers’ data.
By Carl Leonard, Senior Manager, Websense Security Labs (EMEA)
Websense, Inc. is a global leader in protecting organizations from advanced cyberattacks and data theft. Websense® TRITON® comprehensive security solutions unify web security, email security, mobile security and data loss prevention (DLP) at the lowest total cost of ownership. Tens of thousands of enterprises rely on Websense TRITON security intelligence to stop advanced persistent threats, targeted attacks and evolving malware. Websense prevents data breaches, intellectual property theft and enforces security compliance and best practices. A global network of channel partners distributes scalable, unified appliance- and cloud-based Websense TRITON solutions.