NBC Website Hacked, Leading Visitors to Citadel Banking Malware

Another day, another media company hacked. This time it’s NBC which has fallen to victim hackers on the heels of compromises of the New York Times and Wall Street Journal websites. Various experts have confirmed that NBC’s website is compromised and leading visitors to the dangerous Citadel banking Trojan. The site is reportedly hosting an iframe that is redirecting visitors to sites hosting the RedKit Exploit Kit which is serving up the Citadel malware.

Another day, another media company hacked. This time it’s NBC which has fallen to victim hackers on the heels of compromises of the New York Times and Wall Street Journal websites. Various experts have confirmed that NBC’s website is compromised and leading visitors to the dangerous Citadel banking Trojan. The site is reportedly hosting an iframe that is redirecting visitors to sites hosting the RedKit Exploit Kit which is serving up the Citadel malware.

The HitmanPro blog said there were two malicious links on the NBC site connecting to the exploits, one on the home page and another on an internal page. The links serve Java and PDF exploits that drop Citadel; the Java exploit is the same sandbox bypass vulnerability patched in Java 7u11.

The site remained infected as of 3:30 p.m. ET as attackers were rotating out the iframes regularly, each pointing to a number of attack pages, including a site with a Russian name that translates to my-new-sploit [dot]com.

Researchers at Kaspersky Lab confirmed the redirections are leading victims to Citadel and Zeus (Trojan-Spy.Win32.Zbot.jfgj). Citadel is a version of Zeus and is used primarily for banking fraud. Experts say it is sold only in the Russian underground and only to certain customers in order to keep support costs down and reduce the risk of infiltration by law enforcement.

Independent security consultant Dancho Danchev tied the NBC attacks to a recent spam campaign targeting Facebook and Verizon. Danchev said cybercriminals were trying to impersonate Facebook and trick users into thinking their accounts had been shut down. Malicious links used in the spam messages pointed to sites hosting exploits served by the Black Hole Exploit Kit.

Danchev said one of the domains used in the NBC attack matches one used in the Facebook spam campaign, while an email address used to register another domain in the NBC attack matches one similarly used in a campaign against Verizon.

“Someone’s multitasking,” Danchev said. “That’s for sure.”

NBC image via  Xurble‘s Flickr phtoostream, Creative Commons

Suggested articles

Citadel Trojan: It’s Not Just for Banking Fraud Anymore

Banking malware has primarily been just that, an attack tool used against financial institutions to steal money from online bank accounts. But what if cybercrime gangs decided to flip that on its head, and use malware such as the Citadel banking Trojan to steal credentials from not only banks, but government agencies and commercial businesses?