Websense® ThreatSeeker® Intelligence Cloud has detected that the official website of Popular Science has been compromised and is serving malicious code. Popular Science is a well-established monthly magazine with a readership of more than a million, focusing on making science and technology subjects accessible to the general reader. The site is injected with a malicious code that redirects users to websites serving exploit code, which subsequently drops malicious files on each victim's computer.
Websense Security Labs™ has contacted the IT team of Popular Science with a notification regarding the compromise.
The main page of Popular Science on October 28, 2014:
Websense customers are protected from this threat by ACE, our Advanced Classification Engine, at the following stages of the seven stages an advanced threat goes through when attempting to steal your data:
- Stage 2 (Lure) - ACE has detection for the compromised websites.
- Stage 4 (Exploit Kit) - ACE has detection for the malicious code that attempts to execute this cyber attack.
The website has been injected with a malicious iFrame, which automatically redirects the user to the popular RIG Exploit Kit. The same Exploit Kit has been used in the compromise of METRO’s website as well. The exploit kit launches various exploits against the victim which – if successful – will result in a malicious executable dropped on the user’s system.
The injected iFrame:
In most cases, malicious injections redirect the user to a TDS, which then further redirects to the exploit kit’s landing page. However, as it is often the case with the RIG Exploit Kit, the injected code sends the victim directly to the landing page.
Obfuscated RIG Exploit Kit landing page:
The exploit kit landing page is heavily obfuscated to make analysis and detection more difficult. Before launching any exploit, the RIG Exploit Kit uses CVE-2013-7331 XMLDOM ActiveX control vulnerability to list antivirus (AV) software on the target system.
Checking for AV:
This technique has been used by a number of exploit kits recently, most notably the Nuclear and Angler exploit kits. If the user doesn’t have any of the checked AVs installed, then the exploit kit proceeds to evaluate the installed plug-ins and their versions, in particular Flash, Silverlight, and Java. If a vulnerable plug-in is found, the appropriate exploit is launched.
De-obfuscated script launching Java Exploit:
High-Level Stats: Who is impacted by this injection?
Websense telemetry indicates that this type of injection is widespread across the globe. Multiple industries are seen to be continuously affected by this threat.
As we mentioned in the past, compromising popular web pages is a popular technique used by cyber criminals to launch their attacks. It is important that users employ advanced security products that can protect them at various stages of the attacks.