Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

NBC.com Compromised

View all posts > 

NBC.com Compromised

Posted: 22 Feb 2013 01:05 | Patrik Runald | no comments


Earlier today the main website of NBC and some of their show websites (such as www.jaylenosgarage.com) were compromised and served malicious content to users. The malicious content was inserted as a one-line iframe tag on one of the JavaScripts that gets loaded every time a user visits the page:

 

 

 

This one line of code forces the web browser of every visiting user to download content from the walterjeffers site, which, in turn, redirects the user to two other sites that eventually use an exploit kit to automatically install a malicious file onto the computer. During the few hours the attack was active, we saw several different URLs being used by the attackers. See the screenshot below for the sequence of events as recorded by our replay system that we have in Websense Security Labs.

 

 

 

 

Two vulnerabilities were used to compromise the user’s computer. In the above example, we can see a PDF file, but the exploit will also try Java vulnerabilities. If either is successful, a malicious binary from the Citadel family is installed on the machine. This family of malware is a so-called banking Trojan, which is designed to help the cyber criminals steal money from online banking accounts. While the file has very bad coverage from antivirus solutions according to VirusTotal, our Websense ThreatScope technology was able to see it as suspicious and provide a lot of additional details about the behavior of the file. See here for the full report.

 

Websense customers were proactively protected against the exploit code attack by our real-time analytics specifically designed to prevent exploit kits.

 

 

 

NBC has since confirmed that their site has been cleaned up, and it's again safe to visit.


Filed under:

Leave a Comment

(required)  

Email address: (required)