July 4, 2012

The official website of GoPro is compromised to serve malicious code

Elad Sharf Security Researcher

The Websense® ThreatSeeker® Network has detected that the official website of GoPro (at gopro.com), the popular brand for "wearable" cameras, has been compromised and injected with malicious code.  We have contacted GoPro and let them know about the compromise but to date, we have not heard back from them. 

Update: gopro.com and all the other GoPro affected websites we mentioned in this post are now clean from this injection and no longer serve this malicious content.

Websense customers are protected from this threat with ACE our Advanced Classification Engine.

The injected code is resident in multiple locations on the main page. This injection is part of mass injection that is known to us and that is doing its rounds over the web at the moment (see image 2 marked in red). Our ThreatSeeker network also spotted that hosts of localized versions of GoPro.com are injected with malicious code as well; for example the local website of GoPro France at fr.gopro.com. Other local versions include: 








Image 1: The official Website of gopro.com - the main page


Image 2: The injected code marked with red on the official website of GoPro (at gopro.com)


Once a user visits gopro.com the injected code (marked in red) gets translated to an Iframe that leads the user automatically and without any interaction to a malicious redirector at ad.fourtytwo.proadvertise.net (see image 3 for full URL). The malicious redirector at ad.fourtytwo.proadvertise.net further redirects the user to an exploit Website loaded with the Blackhole exploit kit located at ad.banchoath.com. On the exploit website several exploits are sent to the user's browser and on successful exploitation the user's machine is infected with malware, at the time of the post that malware has ~9% antivirus detection rate, according to virustotal.com. The malicious file is an ad-clicker that generates large amounts of traffic to legitimate ad websites from a list of instructions it downloads from a designated server. The malicious file also launches the local browser from time to time to show advertisements. 


Image 3: The injected code translates to an Iframe that takes without user interaction the visitor to an exploit Website


Image 4: The exploit Website is loaded with the infamous Blackhole Exploit Kit


We shall update the blog with additional information as it comes to light.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.