May 3, 2010

Treasury websites compromised

Patrik Runald

A few of the US Treasury websites were compromised today and loaded a hidden iframe containing exploit code to anyone who visited the following three sites:

  • bep.gov
  • bep.treas.gov
  • moneyfactory.gov

The code that was loaded can be seen in the screen shot below.


This iframe loads a page from gr[REMOVED]ad.com (hosted in Turkey) which in turn redirects to si[REMOVED]e-g.com/jobs/ (hosted in The Netherlands) which is where the exploits are hosted. In this case it's the Eleonore Exploit Kit that is used which has support for several vulnerabilities in Adobe Reader, Flash, Internet Explorer etc. In the video below you can see how the exploit kit pushes a malicious PDF to the user which exploits a vulnerability in Adobe Reader. At the time of writing only 20% of all AV vendors detected that file.


Our customers were protected against this proactively as we had real-time signatures available that blocked all the exploits.


About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.