14 DAY TRIAL // Security researchers have detected compromised pages on Lenovo India's warranty website which load exploits and attempt to infect visitors with malware.
According to Umesh Wanve, a senior security research engineer at Zscaler who analyzed the attack, the infected lenovowarranty.co.in pages had a rogue iframe injected into them.
The malicious iframe took visitors through a series of redirects before leading them the landing page of an Incognito exploit kit installation.
Incognito 2.0 is a drive-by download toolkit which contains serveral exploits for Java, Adobe Reader and Windows.
According to an older analysis by Seculert, this exploit pack has been used to install various types of malware, including the notorious ZeuS trojan, Gbot, the Optima DDoS botnet client, trojan downloaders, ransomware and scareware.
This attack is a good example of why keeping all software products on a computer up to date is critically important given today's threat landscape.
Drive-by download attacks executed from compromised legitimate websites are one of the primary methods of malware distribution.
Thery are very dangerous because the vast majority of them are transparent to the victim who only has to browse to a rigged site to get infected.
In addition to keeping their software, and of course anti-malware program, up to date, users can also employ more aggressive solutions like the NoScript extension for Firefox.
By default, NoScript prevents websites from executing JavaScript code inside people's browsers. In many cases this doesn't break any critical functionality and the sites can be used without any change.
However, when this is not the case, people can allow only the active domain to load JavaScript. If that doesn't solve the compantibility issues, they can start allowing the domains they view as less risky.
This is not the first time when exploits are served from a Lenovo website. Last June, the compromised Lenovo support website tried to infect visitors with the Bredolab trojan downloader.