As of today, the website of the Bureau of Engraving and Printing was still down and returning 404 errors after an attack was mounted via the Ukraine. US Department of Treasury websites bep.gov, bep.treas.gov and moneyfactory.gov were taken down after the sites were hit by an exploit that inserted an IFRAME into their source code. The IFRAME pointed to an attack site registered to an Alexey Prokopenko in the Ukraine.
According to PandaLabs, the IFRAME loads one of the Eleonore exploit kits, which then determines the best exploitation method for the browser accessing the site. "Upon accessing the US Treasury website, the IFRAME silently redirects victims through statistics servers and exploit packs which will carry the victim onto the second stage of the attack," said an analysis posted by PandaLabs. "It's still unclear what the original entry point was into the US Treasury website, and I don't suspect that the US Government will release detailed reports about the compromise, but these threats usually make their way onto websites that have outdated server software, Web applications, and/or through Web application security vulnerabilities such as SQL injection".
After infection, a victim's web browser will start redirecting them to advertisements and rogue anti-virus software pages, according to the analysis, posted by Sean-Paul Correll.
"The hosting company used by the Bureau of Engraving and Printing had an intrusion and as a result of that intrusion, numerous websites (BEP and non-BEP) were affected," said BEP spokesperson Claudia Dickens.
The BEP.gov domain is hosted by Network Solutions, while the treas.gov domain is hosted by QDot.