NBC hack serves Citadel malware to visitors

Security firm Fox-IT’s cyber-security operations center identified a variant of the sophisticated malware on NBC.com. It was discovered coincidentally in the course of its ongoing monitoring service, it explained in a blog. One of Fox-IT’s customers was infected as a result of visiting the site.

“Another high profile website has been hacked to redirect visitors to malicious URLs, websites that seek to infect visitors for further scamming and cyber fraud. Last week it was Facebook, this time it is the website of the National Broadcasting Company (NBC),” said Stephen Cobb, security evangelist for ESET, in a blog. “The major American television network’s site at NBC.com was blocked for a time today by some web browsers, but thousands of untold visitors were exposed to infection. Early indications are that the NBC.com site was in this infectious state for at least 24 hours.”

He added, “The attack employed iframes to redirect legitimate visitors from NBC.com to an infected site that serves up an exploit kit. The exploit seeks to download multiple files to victim machines - not surprisingly these files are dubious in character.”

Ronald Prins, Fox-IT’s CEO, tweeted the incident to alert site visitors, while Fox-IT security experts contacted the incident handling team at GE, the owner of NBC.com, to alert them to the problem. Meanwhile, the security features in Chrome, Firefox and Facebook gave warning messages to users trying to access the site.

Citadel was originally designed for bank fraud and cyber espionage. Fox-IT uncovered that this variant of Citadel uses an exploit called “RedKit” that invades computers through vulnerabilities in PDF and Java software. Once injected, the botnet crawls through files to seek and capture personal information, including online banking credentials. Variants of Citadel can automatically insert bank transfers and credit card payments.

This version of the Citadel is only recognizable to three out of the 46 anti-virus programs on virustotal.com – Fortinet, Panda and Rising.

“Both detection and removal of the malware are difficult by design,” Fox-IT said in a blog detailing he forensics of the attack. “Several sites offer tips on detection and removal, including HitmanPro, but beware of scams.”

NBC fixed the problem quickly, but has not provided details as to who was behind the attack. The network however has now joined the ranks of a number of companies that have become the victim of hacking. The spate began with the New York Times being compromised by what are ostensibly Chinese hackers, and ran through the Washington Post, the Wall Street Journal, Facebook and Apple.

What’s hot on Infosecurity Magazine?