14 DAY TRIAL // Malicious code that led to a powerful exploit kit was injected into a compromised USPS.gov website in order to infect visitors with malware.
The infection was spotted by cloud security provider Zscaler on the United States Postal Service's Rapid Information Bulletin Board System (RIBBS) website, ribbs.usps.gov.
The RIBBS website provides information for Intelligent Mail package barcode (IMpb), a new system designed to provide price-level intelligence.
The injected code consisted of obfuscated JavaScript which, when parsed, generated a rogue iframe that loaded a script from an external domain.
Like in most drive-by download attacks, the script in question was used for redirection and led users to another page designed to look as a 404 error.
That page was part of a Blackhole exploit kit installation which checked visitors' browser and operating system in order to launch one of several Java and PDF exploits.
Blackhole is a popular commercial drive-by attack toolkit sold on the underground market and as Virus Total scans show, it comes with well obfuscated exploits that evade the detection of many antivirus products.
"Yet again, we have a legitimate website with a significant user base being used as a catalyst for attack. Combine that with an abysmal detection rate on the malicious payloads by desktop AV, the first and often only line of client side defense for many enterprises, and we have a potent attack that has no doubt affected many end users," writes Michael Sutton, Zscaler's vice president of security research.
The ribbs.usps.gov website was taken offline by USPS and remains down at the time of writing this article. The URL was also blacklisted by Google's Safe Browsing service.
Users are advised to keep their software and operating systems up to date and always run with an antivirus capable of scanning Web traffic.