Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

The official website of GoPro is compromised to serve malicious code

View all posts > 

The official website of GoPro is compromised to serve malicious code

Posted: 04 Jul 2012 05:24 PM | Elad Sharf | 2 comment(s)


The Websense® ThreatSeeker® Network has detected that the official website of GoPro (at gopro.com), the popular brand for "wearable" cameras, has been compromised and injected with malicious code.  We have contacted GoPro and let them know about the compromise but to date, we have not heard back from them.

 

Update: gopro.com and all the other GoPro affected websites we mentioned in this post are now clean from this injection and no longer serve this malicious content.


Websense customers are protected from this threat with ACE our Advanced Classification Engine.

 

The injected code is resident in multiple locations on the main page. This injection is part of mass injection that is known to us and that is doing its rounds over the web at the moment (see image 2 marked in red). Our ThreatSeeker network also spotted that hosts of localized versions of GoPro.com are injected with malicious code as well; for example the local website of GoPro France at fr.gopro.com. Other local versions include: 


de.gopro.com

es.gopro.com

fr.gopro.com

it.gopro.com

jp.gopro.com

pt.gopro.com

 

Image 1: The official Website of gopro.com - the main page

 

Image 2: The injected code marked with red on the official website of GoPro (at gopro.com)

 

Once a user visits gopro.com the injected code (marked in red) gets translated to an Iframe that leads the user automatically and without any interaction to a malicious redirector at ad.fourtytwo.proadvertise.net (see image 3 for full URL). The malicious redirector at ad.fourtytwo.proadvertise.net further redirects the user to an exploit Website loaded with the Blackhole exploit kit located at ad.banchoath.com. On the exploit website several exploits are sent to the user's browser and on successful exploitation the user's machine is infected with malware, at the time of the post that malware has ~9% antivirus detection rate, according to virustotal.com. The malicious file is an ad-clicker that generates large amounts of traffic to legitimate ad websites from a list of instructions it downloads from a designated server. The malicious file also launches the local browser from time to time to show advertisements. 

 

Image 3: The injected code translates to an Iframe that takes without user interaction the visitor to an exploit Website

 

Image 4: The exploit Website is loaded with the infamous Blackhole Exploit Kit

 

We shall update the blog with additional information as it comes to light.



Comments

Alex said on Wednesday, July 04, 2012 3:27 PM

Apparently fixed now twitter.com/.../220642600347123713

Elad Sharf said on Thursday, July 05, 2012 6:01 AM

@Alex, thanks, we've verified this and updated this post at the top to say that this infection is no longer on GoPro's websites.


Leave a Comment

(required)  

Email address: (required)