January 5, 2011

WageWorks site compromised

Patrik Runald

A website owned by WageWorks has been compromised to redirect users to a known malicious Web site. The site that is compromised is hxxp://learnwageworks.com and we advise users to not visit this site until the issue has been fixed. Websense customers are protected proactively against the compromise by ACE, our Advanced Classification Engine.


Update: WageWorks got in touch with us and promptly fixed the problem.


The injection itself is visible in clear text on the page, but you have to scroll down quite far when viewing the source to see it. 


The site it redirects to is currently down, and the main WageWorks site, http://www.wageworks.com, is not compromised. The attack site was active as late as yesterday and hosted the Phoenix Exploit Kit, one of the most popular kits used to install malware on users' PCs. The first time we saw the attack site hosting malicious code was on December 28, 2010: 


We have received several reports from customers asking about this. Because WageWorks is one of the largest benefits providers in the US and is used by several large organizations, the compromise could become much more serious if the attack page is activated or changed to another site.


We want to emphasize that Websense customers are proactively protected against this compromise, thanks to the real-time analytics that are part of ACE.

We have notified WageWorks about the compromise but have not received a reply.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.