Hasbro[.]com, a leading toy and game distributor in the United States, is infected and serving malware to visitors of the site. Researchers at Barracuda Networks said the site remained infected as of this morning and Hasbro has not responded to an email from the security firm disclosing the issue.
The Java-based attack is similar to one conducted against popular humor website cracked[.]com, which was found in November to also be hosting a drive-by download attack, and as of two weeks ago, was again serving up malware in drive-by attacks.
Like Cracked, Hasbro is a popular website that, based on traffic analysis from Alexa.com from 2013, gets upwards of 215,000 daily visitors. Barracuda estimates that given current Java installations and patching levels, the site could potentially be infecting up to 20,000 visitors a day. While the Cracked and Hasbro attacks don’t seem to be related, Barracuda research scientist Daniel Peck said, the possibility exists that these compromises are recruiting zombie endpoints for a botnet.
“That’s a lot of the motivation for compromising desktop systems for building a botnet, exfiltrating individual data and so forth,” Peck said. “There are a ton of different options [an attacker] can use to monetize a compromised system.”
Barracuda’s automated detection systems said Hasbro[.]com was serving malware on four previous occasions this month: Jan 10, 11, 14 and 20. The site is sending Java-based browser exploits compromising as many as three vulnerabilities dating back to 2012.
“We didn’t see any indicators of it being any known exploit kits,” Peck said. “It seems like it may be a one-off.”
When a visitor lands on Hasbro’s website, the exploits attack the browser and make a backdoor connection to a command and control server. Barracuda made several packet capture files available for analysis of the malware; 27 of 50 vendors were able to detect the malware, according to VirusTotal. The infected browser is sent on several hops, including one that uses HTTPS to obfuscate a redirection to ahnc[.]blockscheine[.]com. Barracuda said on its blog that malicious domain serves a number of Java exploits, which if successful install the malicious payload.
“It’s garden-variety installing arbitrary code on your systems and taking control and doing anything it needs to,” Peck said. “Honestly, I don’t think anything stands out too much. The biggest reason we put the post up about it is because it’s a well-known website. We’ve got our automated systems to find these compromised sites all the time. When we see something that’s common enough that people need to be warned about, it’s worth talking about.”
Barracuda has also recently reported on compromises involving php.net as well as Cracked, which Peck said was compromised again after the initial infection was cleaned up after it was reported in November.
“It’s a very similar attack,” Peck said. “It’s not the same payload and it used a different set of compromised servers inside, so it’s possibly a different group, or possibly someone’s gotten in there very deeply and every now and then they’ll turn it on and avoid being rooted out completely and still be able to use that traffic. With a site like Cracked or any of these other sites that get so much [traffic] a day, you can do quite a bit to build up your botnet.”