Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

WageWorks site compromised

View all posts > 

WageWorks site compromised

Posted: 05 Jan 2011 07:20 AM | Patrik Runald | 2 comment(s)

A website owned by WageWorks has been compromised to redirect users to a known malicious Web site. The site that is compromised is hxxp://learnwageworks.com and we advise users to not visit this site until the issue has been fixed. Websense customers are protected proactively against the compromise by ACE, our Advanced Classification Engine.


Update: WageWorks got in touch with us and promptly fixed the problem.


The injection itself is visible in clear text on the page, but you have to scroll down quite far when viewing the source to see it.



The site it redirects to is currently down, and the main WageWorks site, http://www.wageworks.com, is not compromised. The attack site was active as late as yesterday and hosted the Phoenix Exploit Kit, one of the most popular kits used to install malware on users' PCs. The first time we saw the attack site hosting malicious code was on December 28, 2010:



We have received several reports from customers asking about this. Because WageWorks is one of the largest benefits providers in the US and is used by several large organizations, the compromise could become much more serious if the attack page is activated or changed to another site.


We want to emphasize that Websense customers are proactively protected against this compromise, thanks to the real-time analytics that are part of ACE.

We have notified WageWorks about the compromise but have not received a reply.


Deepak Vasudevan said on Friday, January 7, 2011 6:12 AM

http://learnwageworks.com seems to be fixed now. But there is no update on Websense on the same?

Patrik Runald said on Friday, January 7, 2011 12:50 PM

The site is now categorized as "Financial Data and Services"

Leave a Comment


Email address: (required)