Jump to content

Security breach/compromise


Recommended Posts





Media sites - mass compromise

- http://research.zscaler.com/2013/05/popula...ed-in-mass.html

May 6, 2013 - "... Zscaler identified yet another mass website compromise, this one impacting a number of popular media sites, including two radio stations in Washington, DC - Federal News Radio and WTOP. It's not clear if all of the sites impacted were leveraging a common backend platform that may have led to the compromise... Attacks targeting end users generally involve some form of social engineering whereby the potential victim must be convinced to visit a site, download a file, etc. Attackers will therefore write a script designed to comb the web looking for popular sites exposing a common flaw and when identified, inject a single line of malicious code into the sites. In that way, any user visiting the otherwise legitimate (but now infected) site, can become a victim. This particular threat also displays another common trait - being dynamic in nature and only delivering content if the victim browser exhibits certain attributes. In this case, the injected content is only displayed when the browser's User Agent string reveals that Internet Explorer (IE) is being used... obfuscated JavaScript decodes to reveal an iFrame pointing to sites hosted at Dynamic DNS (DynDNS) hosting providers. Thus far, we have identified two DynDNS providers (myftp .biz and hopto .org) involved... Thus far, Zscaler has identified the following compromised sites:

Media Sites:

WTOP Radio (Washington, DC) - wtop .com

Federal News Radio (Washington, DC) - federalnewsradio .com

The Christian Post - christianpost .com

Real Clear Science - realclearscience .com

Real Clear Policy - realclearpolicy .com


scubaboard .com

mrsec .com

menupix .com

xaxor .com

gvovideo .com

At the time of posting, these compromised sites were still offering up malicious content."



- https://www.net-security.org/malware_news.php?id=2485

May 7, 2013 - "... This particular mass compromise is targeting only Internet Explorer users, probably because the attackers are using exploits only for that particular software. Users who surf to the sites using any other browser don't trigger the redirection chain..."


:ph34r: :ph34r: <_<

Link to post
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...