The website of widely read Popular Science magazine is reportedly hosting a malicious script that is redirecting site visitors to a third-party domain containing an exploit kit, which is infecting users by uploading files containing malware to their machines.
To give an idea of the scope of this problem, according to estimated metrics from the site traffic analysis service Alexa, Popsci[dot]com ranks 6,297 globally and 2,234 in the U.S. in terms of total traffic.
The compromise was discovered by researchers from the Websense Security Lab, who said they contacted the IT team at Popular Science and informed them of the breach.
“The website has been injected with a malicious iFrame, which automatically redirects the user to the popular RIG Exploit Kit,” Websense researchers wrote in a report. “The exploit kit launches various exploits against the victim which – if successful – will result in a malicious executable dropped on the user’s system.”
The researchers go onto explain that unlike most malware that deploys a traffic distribution system to send users through a series of redirects before landing on the page hosting the exploit kit, Popsci is routing users directly to the infection. This, Websense claims, is standard operating procedure for the RIG exploit kit. In this case, the kit is exploiting a Microsoft ActiveX bug from 2013 in order to determine what if any antivirus product is running on the victim system.
“If the user doesn’t have any of the checked AVs installed, then the exploit kit proceeds to evaluate the installed plug-ins and their versions, in particular Flash, Silverlight, and Java,” the researchers said. “If a vulnerable plug-in is found, the appropriate exploit is launched.”
Fortyvpercent of all infections detected thus far, according to Websense, are in the U.S., U.K. and Netherlands.