Users who visit AskMen.com, a men’s entertainment and lifestyle portal, are being hit with malicious code, potentially stemming from the Nuclear Pack exploit kit, researchers announced today.
When a user stumbles across the site – or a localized version (aus.askmen[.]com, etc.) of it – malicious code is loaded automatically and the user is redirected to another website.
The second site hits victims with a since-patched Java exploit, CVE-2013-2465, along with an Adobe PDF exploit.
This particular Java exploit was leveraged earlier this year in a Java-based botnet and was also distributed by the LightsOut Exploit kit in a watering hole attack that targeted the energy and oil sector.
According to researchers at Websense, who discovered the compromise and posted about it on their Security Labs blog, it appears the Nuclear Pack exploit kit – or a variant of the kit – is being used to carry out this campaign.
Websense notes that the exploit page apparently uses the same obfuscation techniques the Nuclear Pack uses and employs the same aforementioned Java exploit, as well.
The malicious code that triggers the redirect is obfuscated and can be found at the bottom of JavaScript pages, according to the firm.
“The obfuscation used here is a simple base64 encoding, which can be easily de-obfuscated to a Redirect to a website generated by its domain generation algorithm as well as the DGA itself,” the researchers wrote.
The kit also drops Caphaw, the banking malware that was spotted floating around in several YouTube ads last year, that at the very least could give the attacker access to the victim’s machine, the researchers warn.
Websense claims it reached out to AskMen.com’s webmaster regarding the compromise but has yet to receive a response so far.
However, when reached on Monday afternoon, Johnny Testa, AskMen.com’s marketing and social media manager, insisted the site, which is owned by the publishing conglomerate Ziff Davis, never received any emails from Websense.
Testa added that AskMen’s developers have not been able to detect any malware on the its site either.
The site claims to be the “No. 1 men’s lifestyle publication,” and apparently reaches upwards to 14 million U.S. readers per month, numbers that could translate to a substantial pool of victims to attackers if it is indeed vulnerable.