Looks like The Home Depot needs to turn their own ‘Doing
Dials’ up a notch: the website of the home improvement retailer was compromised
by a piece of hidden code that redirected browsers to a site infected with malware.
By running the Google search for “home depot stair
spindles,” Mark Baldwin of Infosec Island discovered that the first unsponsored result was that of a known malicious site. As
it turned out, there was an invisible frame hidden in the script that linked to
an external site. Upon discovery, Baldwin decided to investigate further.
What he found was that the site, vmui.com, had been listed
as malicious as far back as July, 2009 by Google and StopBadWare, an organization
determined to curb the spread of and raise awareness about malicious software. While the domain is no longer functional,
Baldwin found that StopBadWare has the site’s IP listed in their database
belonging to The Planet.com Internet Service.
Baldwin speculates there are three ways in which the site
may have been hacked: the site’s FTP
credentials might have been compromised by a weak password, brute force over
server credentials, or an SQL injection.
As DNS records of the malicious site are gone, there is currently
no security risk to the Home Depot’s website, but when Baldwin tried to access
the site he was redirected to hxxp://searchmanified.com, which also appears to be
hosting malware. In addition, the hole exploited in the first place may
remain unpatched and the site may still be vulnerable.
Baldwin further speculates that the site may have become
infected back in 2009 when thousands of sites were injected with similar invisible
frames that attempted to download malware to a users machine when they visited
an infected site.
Threatpost.com reached out to the Home Depot, but they were
unavailable comment at the time of publication