The website of the security certification provider EC-Council has been serving a malicious drive-by towards the Angler exploit kit since Monday.
According to research by Fox IT, the redirect occurs only when a visitor is using Microsoft’s Internet Explorer as a browser, or the user-agent has to represent Internet Explorer, when the visitor arrives from a search engine link and when the visitor’s IP address is not blacklisted or belongs to a blocked geolocation.
This specific campaign instance of the Angler exploit kit drops ‘TeslaCrypt’ ransomware on the exploited victim’s machine. The redirect occurs on the EC-Council website via PHP code on the webserver, which is injecting the redirect into the webpage.
“A vulnerability in the EC-Council website is most likely exploited as it runs the very popular WordPress CMS which has been a target through vulnerable plug-ins for years,” the research said.
Efforts to contact the EC-Council were without success, as the press contact page leads to a 404. Fox IT said it had reached out and notified the EC-Council, but no corrective action had been taken.
Speaking to Infosecurity, Maarten van Dantzig, senior researcher at Fox-IT said that the issue was found on Monday after several customers were found to be infected. “We wanted to see how they were being infected and we found it was by the EC-Council website, so we tried to contact them but after they responded on Monday they stopped responding and there was nothing we could do about it,” he said.
He explained that he did hear from them and they asked what website was infected and for screenshot, and the next day Fox-IT asked next if they had been able to fix it but got no response, so made the decision to go public as they knew it was a high risk for their customers.
Speaking to Infosecurity, Luis Corrons, Panda Labs technical director, wondered why users of Internet Explorer were affected. Clarifying, van Dantzig said that the Angler exploit kit impacts versions of Internet Explorer previous to IE11 which allow browser plug-ins to run, while Chrome and FireFox block outdated plug-ins and IE 7-10 all allow browser plug-ins to run.
Corrons said: “Most exploit kits have an operating panel to determine who they want to infect, and the old banking Trojans were configured not to infect people in their own country.
“For the blacklisted IP addresses, I’m 99% sure it is a blacklist of anti-malware and anti-virus companies so the bad guys have a blacklist of what the good guys work with, and makes it harder for us to find them.”
Update: In a statement on its Facebook page, Jay Bavisi, President and CEO of the EC-Council thanked the security community for identifying the vulnerability, which he said existed in a third party plug-in on one of the EC-Council’s affiliated service sites.
"As soon as our security team became aware of the issue they began working on remediating the vulnerability," Bavisi said. "Thereafter, the issue had been remediated and we now confirm that all known instances of the vulnerability has been removed and patched. We also wish to confirm that none of our servers or data were compromised at all during this period."
"EC-Council takes security seriously and as the CEO, it is my utmost priority."