CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
May 3rd, 2011

Goal.com Parts Injected With Malware-Serving Code, Multiple Pages Including English Affected

Security researchers from Armorize warn that attackers have managed to inject visitor infecting code into the popular soccer news website goal.com. The rogue iframe has been inserted, probably through SQL injection techniques, into multiple goal.com pages including the main English one.

“From what we’ve collected, parts of goal.com seem to have been compromised allowing the attacker to manipulate content at will. A backdoor may exist to allow the attacker continuous control of goal.com’s content,” the researchers write.

Furthermore, they believe the attacker was only testing his exploits which led to the compromise being picked up by the company’s automated scanners.

If this is true, it would make for a very odd behavior giving that goal.com is a pretty high-profile target to waste on simple tests. The website has over 200,000 unique visitors per day and ranks 379 on Alexa. The pool of potential victims is very varied because it covers over 200 countries with content in 22 languages.

The injected iframe takes visitors through a series of redirects meant to determine the version of their browser, OS and other software.

The results influence what exploits are loaded. In this drive-by download attack, the cyber criminals are using a known exploit toolkit known as g01pack. An interesting feature of this pack is a fake admin/stats page intentionally protected with weak or default passwords to throw researchers off.

During their supposed testing, the attackers behind this compromise used exploits for Java (CVE-2010-1423), Windows (CVE-2010-1885, CVE-2006-0003) and Adobe Reader (CVE-2009-0927).

According to the Armorize analysts, the exploit code was “mutated,” a detection evasion technique used in addition to the regular obfuscation.

Fortunately, most domains involved in the attack were blacklisted by Google’s Safe Browsing service, which means that Firefox and Chrome users are protected. However, the AV detection rate for the installed malware remains pretty low (37%) at the time of writing this article.

Credit: Softpedia.com News

Share this item with others:

More on CyberInsecure:
  • Daily Mail Serves Malicious Ads, Readers Redirected To Malware Installing Server
  • Multiple TechCrunch Websites Compromised, Infect Visitors With Malware
  • Spam And Malware In Google Ads
  • Google Detects Malware Infection On eBay Solutions Provider Auctiva.com
  • English Defence League Website And Database Hacked, Members Names And Addresses Stolen

    • Posted in Breaches And Incidents, Malware, Software, SQL Injections, Vulnerabilities | Print This Post Print This Post

    This entry was posted on Tuesday, May 3rd, 2011 at 12:38 pm and is filed under Breaches And Incidents, Malware, Software, SQL Injections, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Goal.com Parts Injected With Malware-Serving Code, Multiple Pages Including English Affected

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
    Click to hear an audio file of the anti-spam word

    « «
    » »