CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
July 4th, 2009

Multiple Popular Websites Affected By EyeWonder Malware Incident

According to ZDNet, during the last couple of hours, visitors of popular and high trafficked web sites such as CNN, BBC, Washington Post, Gamespot, WorldOfWarcraft, Mashable, Chow.com, ITpro.co.uk, AndroidCommunity, Engadget and Chip.de, started reporting that parts of the web sites are unreachable due to malware warnings appearing through the EyeWonder interactive digital advertising provider.

According to Google’s SafeBrowsing advisory for EyeWonder, the exploits were hosted on currently active and participating in the Cold Fusion injection attack domains, namely elfah .net, 2ici .cn and javazhu.3322 .org – the following have also managed to compromise Pakistan’s Telecommunication Authority.

By using RealPlayer Import stack overflow exploit and another one attempting a QVOD Player URL overflow, the cybercriminals then attempt to push eight different malware samples. Detection rates for the droppers are improving.

Interestingly, one of the malware samples attemps to download the updated list of malware binaries by connecting a compromised Italian site part of the Cold Fusion injection attacks (betheboss.it) since it appears to have been exploited in such a way.

This malware incident demonstrates how a single exploitation of a trusted third-party content/ad serving vendor can not only undermine its credibility, but potentially the credibility of the sites using the network. And since the ads on the affected sites are dynamically served through different networks, it remains questionable whether it was in fact EyeWonder that served malicious content, or a compromised partner of the network itself.

Case in point – the partnership between Facilitate Digital and EyeWonder comes in a very insecure fashion with EyeWonder having a permanent iFrame tag loading a domain (adsfac.us) belonging to Facilitate Digital on its front page.

For the time being, EyeWonder.com remains down for maintenance.

Credit: ZDNet.com Security Blogs

Share this item with others:

More on CyberInsecure:
  • Multiple TechCrunch Websites Compromised, Infect Visitors With Malware
  • Houghton Mifflin Harcourt Server Breached In Mass Web Attack
  • Malicious Javascript Code In Another CNET Networks Website
  • Heinemann-Raintree Reports a Year And A Half Old Breach in Their E-commerce Website
  • TweetMeme Hit By Malvertisement, Users Redirected To Fake Antivirus Pages

    • Posted in Breaches And Incidents, Cybercrime, Hacked, Malware, Mass Web Attacks, Targeted Attacks, Vulnerabilities | Print This Post Print This Post

    This entry was posted on Saturday, July 4th, 2009 at 2:41 am and is filed under Breaches And Incidents, Cybercrime, Hacked, Malware, Mass Web Attacks, Targeted Attacks, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Multiple Popular Websites Affected By EyeWonder Malware Incident

    One Response to “Multiple Popular Websites Affected By EyeWonder Malware Incident”

    1. hifi Says:
      July 4th, 2009 at 8:31 pm

      Apparently, the exploit only affected the home page http://www.eyewonder.com and not any advertising, which was hosted on a different server (which can be verified by traceroutes). The warnings on other sites were simply because Google flagged *.eyewonder.com

      It looks like Eyewonder has fixed the issue caused by the hack into Coldfusion on their home page and Google has unflagged them.

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »