14 DAY TRIAL // Online men’s publication Askmen.com is said to be the victim of a cyber-attack, with malicious code being injected in various areas of the site in order to redirect visitors to malicious pages serving a Java exploit.
The portal is dedicated to providing news for men from domains ranging from sports and health to social activity and entertainment. According to their media page, there are more than 14 million readers in U.S. alone, but the portal also has localized versions for UK, Canada, Australia and the Middle East.
Security researchers at Websense, a San Diego based company providing protection against cyber-attacks, reported that they detected malicious code on the Askmen.com website, taking visitors to a web address that delivers an exploit for vulnerabilities in Java (supposedly CVE-2013-2465) and Adobe Reader.
This particular vulnerability in Java affects older versions of the runtime (v7 update 21 and earlier) and “allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.”
Even if version 7 of Java offers update 60, many users may not have applied the patches and could fall victim to the exploit.
The injected code seems to be available at the bottom of JavaScript pages of the website and it is obfuscated with simple base64 encoding.
According to Websense, the landing page with the exploit is generated automatically using a domain generation algorithm (DGA) that has been cracked by the researchers, who also revealed the pages that would be accessed until June 30.
The post says that the obfuscation techniques seen on the exploit page are not original, as they have been previously encountered in the Nuclear Pack exploit kit, which is known to take advantage of said security flaw in Java.
“The exploit page displays similar obfuscation techniques, which are often used in the Nuclear Pack exploit kit. In addition, the above mentioned Java exploit is most often used by Nuclear Pack. These facts strongly indicate that the attacker is using either the Nuclear Pack exploit kit or a variant of it,” reads the Websense post.
The threat allegedly downloaded on the victim’s computer has been detected by Websense as Caphaw, a threat apparently originating from Russia and Ukraine, used for a variety of purposes, from click fraud to search result hijacking and infostealing.
We reached out to Askmen requesting more details on the matter. A response came quickly from Sophie Laplante, Audience Development Manager, who said they were not aware of malware or malicious code currently affecting the portal and being delivered to the visitors.
Laplante told us via email that “WebSense never got in touch with our team, as far as we are concerned. Additionally, our developers have not detected any malware on our site.”
[UPDATE, June 25]: Askmen contacted us to provide their latest statement: "We've done a thorough investigation and there is no evidence of any malware. We take security issues very seriously and we have multiple measures in place to protect our users. We're also in contact with the vendor who purported to see evidence of an attack."