WageWorks site compromised
05 Jan 2011 07:20 AM
A website owned by WageWorks has been compromised to redirect users to a known malicious Web site. The site that is compromised is hxxp://learnwageworks.com and we advise users to not visit this site until the issue has been fixed. Websense customers are protected proactively against the compromise by ACE, our Advanced Classification Engine.
Update: WageWorks got in touch with us and promptly fixed the problem.
The injection itself is visible in clear text on the page, but you have to scroll down quite far when viewing the source to see it.
The site it redirects to is currently down, and the main WageWorks site, http://www.wageworks.com, is not compromised. The attack site was active as late as yesterday and hosted the Phoenix Exploit Kit, one of the most popular kits used to install malware on users' PCs. The first time we saw the attack site hosting malicious code was on December 28, 2010:
We have received several reports from customers asking about this. Because WageWorks is one of the largest benefits providers in the US and is used by several large organizations, the compromise could become much more serious if the attack page is activated or changed to another site.
We want to emphasize that Websense customers are proactively protected against this compromise, thanks to the real-time analytics that are part of ACE.
We have notified WageWorks about the compromise but have not received a reply.