Invisible iframes direct to malicious locations

Feb 18, 2015 22:57 GMT  ·  By

Visitors landing on the main page of a popular adult website on Sunday, whose Flash browser plug-in had not been updated to the lasted version, ran the risk of having their computers compromised by malware delivered through Angler exploit kit (EK).

Just like in the case of Jamie Oliver’s website, the cybercriminals did not resort to a malvertising campaign but hacked the servers of the adult location and planted malicious code straight into the main page source code.

Exploit flung at visitors with outdated Flash Player versions

Security researchers at Malwarebytes discovered the compromise on RedTube, a website providing adult content that ranks 128 on the popularity scale provided by Alexa. The estimated number of visits is 300 million per month.

The malicious code inserted on the website produces an iframe that is invisible to the user, pointing to two domains where the Angler browser-based attack tool is hosted.

According to the analysis from Malwarebytes, Angler deploys an exploit for a Flash vulnerability (CVE-2015-0313) recently patched by Adobe.

Until the fix became available in Flash 16.0.0.305, the security bug had been leveraged in the wild through Hanjuan exploit kit.

RedTube confirms the attack

The researchers say that the end goal of the cybercriminals is to install a malware family known as Kazy Trojan, which appears to be a variation of other malware families, downloader Ponik and Vundo Trojan.

“This family is known for stealing personal information from users as well as installing browser helper objects that spread pop-up ads, some redirecting to additional exploit pages and therefore more malware infections,” a blog post from Malwarebytes said on Wednesday.

It is not clear how the RedTube compromise occurred, but the attack has a significant potential given the large number of visits the website enjoys on a monthly basis and the fact that users are slow at applying the latest patches for the browser plug-ins. Furthermore, infecting a vulnerable machine would occur without any sign of suspicious activity.

On Wednesday, RedTube confirmed the attack via Twitter, saying that it was detected on Sunday and that the necessary steps for mitigating the risk were taken within hours.