X-Labs
October 28, 2014

Official Website of Popular Science Compromised

Abel Toro Security Researcher

Websense® ThreatSeeker® Intelligence Cloud has detected that the official website of Popular Science has been compromised and is serving malicious code. Popular Science is a well-established monthly magazine with a readership of more than a million, focusing on making science and technology subjects accessible to the general reader. The site is injected with a malicious code that redirects users to websites serving exploit code, which subsequently drops malicious files on each victim's computer.

Websense Security Labs™ has contacted the IT team of Popular Science with a notification regarding the compromise.

The main page of Popular Science on October 28, 2014:

Popular Science

Websense customers are protected from this threat by ACE, our Advanced Classification Engine, at the following stages of the seven stages an advanced threat goes through when attempting to steal your data:

  • Stage 2 (Lure) - ACE has detection for the compromised websites.
  • Stage 4 (Exploit Kit) - ACE has detection for the malicious code that attempts to execute this cyber attack.

Analysis

The website has been injected with a malicious iFrame, which automatically redirects the user to the popular RIG Exploit Kit. The same Exploit Kit has been used in the compromise of METRO’s website as well. The exploit kit launches various exploits against the victim which – if successful – will result in a malicious executable dropped on the user’s system.

The injected iFrame:

iFrame

In most cases, malicious injections redirect the user to a TDS, which then further redirects to the exploit kit’s landing page. However, as it is often the case with the RIG Exploit Kit, the injected code sends the victim directly to the landing page.

Obfuscated RIG Exploit Kit landing page:

RIG Exploit Kit

The exploit kit landing page is heavily obfuscated to make analysis and detection more difficult. Before launching any exploit, the RIG Exploit Kit uses CVE-2013-7331 XMLDOM ActiveX control vulnerability to list antivirus (AV) software on the target system.

Checking for AV:

AV

Trend Micro

This technique has been used by a number of exploit kits recently, most notably the Nuclear and Angler exploit kits. If the user doesn’t have any of the checked AVs installed, then the exploit kit proceeds to evaluate the installed plug-ins and their versions, in particular Flash, Silverlight, and Java. If a vulnerable plug-in is found, the appropriate exploit is launched.

De-obfuscated script launching Java Exploit:

Java Exploit

High-Level Stats: Who is impacted by this injection?

Injection

Websense telemetry indicates that this type of injection is widespread across the globe. Multiple industries are seen to be continuously affected by this threat.

Affected countries:

GeoCode

Affected industries:

Geocode

Conclusion

As we mentioned in the past, compromising popular web pages is a popular technique used by cyber criminals to launch their attacks. It is important that users employ advanced security products that can protect them at various stages of the attacks.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.
AT

Abel Toro

Security Researcher

Abel Toro is a Security Research with Forcepoint Security Labs’ Special Investigations team, focusing on reverse engineering, malware analysis, and threat intelligence. He tracks existing threat groups and identifies new ones – focusing in particular on APTs – through analysing infrastructure,...

Read more articles by Abel Toro