According to Invincea, the security software specialist, the websites were compromised and redirecting user traffic to an exploit kit serving a FakeAV malware variant. FakeAV has a visual payload: on compromised systems, display pop-up messages tell users that their machines have been infected, and that they should immediately purchase the advertised anti-virus software to clear the problem. Typically fraudsters look to cause panic-purchasing among victims.
This particular attack seemed to cast a wide net. “In the case of WTOP, the potential risk is a large number of their visitors may get compromised,” Invincea researchers noted in a blog. “In the case of Federal News Radio, the target audience is the federal employee; therefore compromising [the site] is effectively setting a watering hole attack site for federal employees. These are all media sites that we know to have been compromised over the last several days. This is likely an indicator of a larger more widespread attack against online media sites.”
The client-side portion of the attack uses a browser-based exploit that affects third party plug-ins, including Java and Adobe. An examination of the Dvorak Uncensored hack revealed that the compromise likely originated through a WordPress plug-in vulnerability that was used to place malicious redirects on Dvorak’s popular tech blog. Once redirected, client-side exploits of Java and Adobe Reader take over to actually serve the malware.
“Given the amount of attention WordPress has received both recently and historically by miscreants seeking to hijack legitimate websites in order to drive user traffic to malware landing pages, this came as no surprise to us,” Invincea said.
It added, “Now that we have determined we are dealing with a crimeware-related threat, we can safely assume that Dvorak.org was more than likely a target of opportunity via WordPress rather than the target of a more sophisticated attack that was specifically singling out readers of Dvorak’s blog.”
The Zscaler security team also examined the attack and noted that, sadly, “mass compromises are now the norm.”
“Attacks targeting end users generally involve some form of social engineering whereby the potential victim must be convinced to visit a site, download a file, etc.,” the team noted. “Attackers will therefore write a script designed to comb the web looking for popular sites exposing a common flaw and when identified, inject a single line of malicious code into the sites. In that way, any user visiting the otherwise legitimate (but now infected) site, can become a victim.”
This particular threat also displays another common trait – being dynamic in nature and only delivering content if the victim browser exhibits certain attributes.
“In this case, the injected content is only displayed when the browser's User Agent string reveals that Internet Explorer (IE) is being used…to view one of the infected pages,” Zscaler noted.