Goal.com Continues to Infect Visitors

Security researchers from Armorize warn that Goal.com's security problems are not over and the website continues to infect visitors, this time with scareware.

At the beginning of this month, Armorize's web-scanning service detected a malware infection on popular soccer news site goal.com.

The company's researchers said at the time that several parts of goal.com had been compromised by attackers who might have had a backdoor on the server.

That assessment might have been right because, after those initial infections were cleaned, the website began serving malicious code again.

A new rogue iframe was injected into the site's main English-language page to direct visitors to a drive-by download site that exploits vulnerabilities in outdated software.

A successful attack will result in a piece of scareware called Security Shield being installed on the victim's computer.

The fake antivirus software had a very poor av detection rate on Virus Total at the time when this new infection was discovered, which means that a lot of users might have been affected.

Goal.com has over 200,000 unique visitors per day and ranks 379 on Alexa. The pool of potential victims is large and varied because the site produces content in 22 languages covering over 200 countries.

Drive-by download attacks are very dangerous because they don't require user interaction. In fact, their intention is to remain completely transparent and not alert victims that something weird is happening in the background.

"Security Shield will continuously pop up fake alerts and launch browsers to open porn sites, and only stops after a 'license' has been purchased," the Armorize researchers explain.

The best way to prevent drive-by download attacks is to keep all installed software applications up to date. These attacks normally use exploits for vulnerabilities that have already been patched. Using an antivirus program capable of behavioral detection is also highly recommended.