September 26, 2011

Cuevana.tv is compromised, be aware of this .cx.cc attack!

Ran Qiong

Websense® ThreatSeeker® Network has detected that the Cuevana.tv (hxxp://www.cuevana.tv) Web site was compromised on 25th September, 2011. 

Cuevana.tv is a very popular Spanish online TV Web site in South American, especially in Argentina, Uruguay, Mexico, Colombia, and Panama. Cuevana.tv has a very high Alexa ranking ranging from 25-60, depending on the region.

Traffic rank data from. Alexa.com


The screenshot below shows the Cuevana.tv homepage: 


A malicious code is injected into this Web page: 


Unfortunately, the iframe injection URL hxxp://kanreque.cx.cc/redir_fcgi.pl was already down when we first detected this compromised site.The payload site was unavailable at the time this blog was posted, however this could change any time.   

In addition to the Cuevana.tv Web site, Websense® ThreatSeeker® Network also detected that a large number of other popular Web sites have been infected by these malicious iframes (with the domain name .cx.cc). Based on the analysis of this data, we found that most of these iframes lead to a trojan downloader or other forms of exploit kits. 

Below are some infected Web sites as detected by ThreatSeeker: 



 Websense customers are protected from Web-based threats by ACE, our Advanced Classification Engine.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.