U.S. media sites compromised, lead to malware

At least five U.S. media sites and a number of other popular ones have been compromised and are redirecting visitors to malicious URLs, Zscaler warns.

The sites have been injected with obfuscated JavaScript that contains an iFrame that redirects users to one of several sites serving the ZeroAccess Trojan and fake AVs.

The compromised sites include those belonging to Washington-based WTOP Radio and Federal News Radio, The Christian Post, Real Clear Science, Real Clear Policy, a popular online scuba diving forum, a picture aggregator site, and others. Zscaler researchers theorize that they probably have a common backend platform.

“Attacks targeting end users generally involve some form of social engineering whereby the potential victim must be convinced to visit a site, download a file, etc. Attackers will therefore write a script designed to comb the web looking for popular sites exposing a common flaw and when identified, inject a single line of malicious code into the sites,” they explained. “In that way, any user visiting the otherwise legitimate (but now infected) site, can become a victim.”

This particular mass compromise is targeting only Internet Explorer users, probably because the attackers are using exploits only for that particular software. Users who surf to the sites using any other browser don’t trigger the redirection chain.

According to Zscaler, the sites were still compromised yesterday.