Security experts are warning readers of US news site Metro.us that it has been compromised by hackers to serve up info-stealing malware.
Web security vendor Websense revealed the compromise in a blog post, claiming that injected malicious code had been found in “multiple locations” on the main site – which has no affiliation with the UK news publication of the same name.
“When a visitor goes to the main page, metro.us redirects to metro.us/newyork/,” it said. “That page is injected with a malicious iFrame that redirects users to websites serving exploit code, which subsequently drops malicious files on the victim's computer.”
The covert redirect takes place via a Traffic Distribution System (TDS), taking the user to another site hosting the RIG Exploit Kit. This then tries to load exploit code and exploit multiple vulnerabilities in order to drop various executables on the targeted PC, Websense said.
RIG was first spotted back in April when it was used to distribute ransomware like Cryptowall. In the vast majority of cases (65%) it targets US computer users, although there’s also a bias towards Canada (12.2%), the UK (11.9%) and Australia (11.7%), according to the security vendor.
“The RIG Exploit Kit landing page is heavily obfuscated (which is typical with exploit kits). It functions in a similar way to other crimeware exploit kits, in that it tries to load exploit code for vulnerable plug-ins, such as Java, Flash, and SilverLight,” the blog continued.
“Like other prominent exploit kits, the request headers must have a correct referrer to load the malicious content. In this case, the referrers were metro.us compromised pages.”
The executable which is eventually dropped on the victim’s computer is obfuscated to the point where only seven out of a potential 53 AV products could detect it, according to Virus Total.
The malware in question has been designed with various tasks in mind, including stealing private info from the user’s browsers; installing itself for Autorun at Windows start-up; querying info on disks “possibly for ani-virtualization”; and checking for known windows from debuggers and forensic tools, according to Websense.
The vendor said it had contacted the metro.us IT team, which is investigating its findings.
This is not the only news site to have been hit by cybercriminals this week.
Earlier, the Wall Street Journal was forced to take the system hosting its news graphics offline following a breach, while Vice.com admitted hackers tried to access a list of content management system (CMS) users.
MSNBC was also targeted as hackers gained access to its publicly available Bitly API key to create custom URL shorteners redirecting users to a fake news site.
Carl Leonard, senior manager of security research at Websense, told Infosecuriy firms need a “tried and trusted” disaster recovery plan to mitigate the risk of compromise.
“One of the favoured methods used by cybercriminals to compromise a website is to obtain login credentials for the FTP or CMS software that is used to administer the site. To avoid such breaches, it is a smart move to ensure that any machines used to update the company website via FTP or CMS are secure,” he explained.
“This involves applying vendor patches, keeping browsers up to date and deploying a security solution that scans for threats whilst providing high levels of protection. It is also worth considering using a more secure alternative to FTP that adds encryption to the communication.”
Organizations should also monitor for known web server vulnerabilities such as cross-site scripting and SQL injection and apply patches as soon as possible, said Leonard.
“If a breach does occur, it is crucial to establish the root cause of the compromise and clean it up,” he added.
“If it is suspected that the corporate login credentials may have gotten into the hands of the attackers then these should be changed, but it is worth remembering that the cybercriminal may well be able to simply retrieve the new credentials.”