May 3, 2011 08:08 GMT  ·  By

Security researchers from Armorize warn that attackers have managed to inject visitor infecting code into the popular soccer news website goal.com.

According to Armorize experts, a rogue iframe has been inserted, probably through SQL injection techniques, into multiple goal.com pages including the main English one.

"From what we've collected, parts of goal.com seem to have been compromised allowing the attacker to manipulate content at will.

"A backdoor may exist to allow the attacker continuous control of goal.com's content," the researchers write.

Furthermore, they believe the attacker was only testing his exploits which led to the compromise being picked up by the company's automated scanners.

If this is true, it would make for a very odd behavior giving that goal.com is a pretty high-profile target to waste on simple tests.

The website has over 200,000 unique visitors per day and ranks 379 on Alexa. The pool of potential victims is very varied because it covers over 200 countries with content in 22 languages.

The injected iframe takes visitors through a series of redirects meant to determine the version of their browser, OS and other software.

The results influence what exploits are loaded. In this drive-by download attack, the cyber criminals are using a known exploit toolkit known as g01pack.

An interesting feature of this pack is a fake admin/stats page intentionally protected with weak or default passwords to throw researchers off.

During their supposed testing, the attackers behind this compromise used exploits for Java (CVE-2010-1423), Windows (CVE-2010-1885, CVE-2006-0003) and Adobe Reader (CVE-2009-0927).

According to the Armorize analysts, the exploit code was "mutated," a detection evasion technique used in addition to the regular obfuscation.

Fortunately, most domains involved in the attack were blacklisted by Google's Safe Browsing service, which means that Firefox and Chrome users are protected. However, the AV detection rate for the installed malware remains pretty low (37%) at the time of writing this article.