AVG INSIGHT ISSUE 1 - MARCH 2013

Reputation Means Nothing Online

Think you can trust a website as long as it’s well-known and well-trafficked? Think again: the AVG Web Threats Research Team has identified two cybercrime campaigns coded into some of the Internet’s most popular sites.

After installing good Internet security software, the best way to stay safe online is to visit only sites you trust, right? Stick to browsing major websites from large companies or well-known people and you'll avoid the Internet's dark alleyways, where cybercriminals lurk waiting to steal your bank details. Sadly, that's just not true anymore.

On 1 January this year, the AVG Web Threats Research Team discovered a popular page on MSN Italy was redirecting visitors using malicious code that bore the traits of the 'Cool Exploit Kit' - one of the latest in a growing number of off-the-shelf malware solutions available to buy by wannabe cybercriminals. And then, in February, the same team identified links to several NBC.com sites that were redirecting users to 'Redkit Exploit Kit' code, including Late Night With Jimmy Fallon and Jay Leno's Garage.

Clearly, these are not amateur websites built and operated without thought of security or budget to keep the bad guys out - they're major websites from large corporations, and most people would quite naturally assume they'd be safe visiting them without fear of their computer being harmed.

The Italian Job

The MSN Italy site came to the attention of the Web Threats Team when researchers noticed a spike in LinkScanner* detections originating there (*LinkScanner is part of AVG's free and paid Internet security products, available here). The group discovered the site contained an 'obfuscated redirect' - encrypted computer code with a hidden purpose - which linked to a web page built by one or more cybercriminals.

Simply visiting one of the hacked pages using a vulnerable PC was enough to allow the Cool Exploit Kit code to covertly install 'ransomware' on the user's machine. This generated a full-screen message that couldn't be minimized or clicked away from, and which claimed to be from the US Department of Justice. The message stated that the PC had been blocked due to illegal files saved on it, and the only way to regain control was to pay a 'release fee' of several hundred dollars through an untraceable payment system. However, paying the ransom isn't known to unlock the machine, nor remove the malicious code - to regain control, the user (or an IT professional) would have to clean boot their machine repair and then attempt to repair it by tracking down and removing the malicious code.

The Cool Exploit Kit uses a number of different exploits to infect PCs, but in this case it was a malicious '.jar' (Java ARchive) file that downloaded and installed the ransomware. The Web Threats team has also seen similar pages localized via the user's IP address, so they appear to be from a local government agency, with the release fee in the local currency. Naturally, AVG immediately notified MSN and the bad links no longer exist on any MSN website.

NBC.com Brings You the (Bad) News

More recently, the Web Threats Team investigated a large number of reports of obfuscated redirects found on websites of US TV network NBC. The bulk of the reports were from AVG customers in the US, with the rest coming mainly from Canada and the UK.

The team found malicious code similar to the obfuscated script below had been injected into JavaScript files used on the websites. This code redirected users to hundreds of websites that had also been compromised by the cybercriminals, and where the users' computers were exploited by the Redkit Exploit Kit. Like most exploit kits, this is configurable to install any malware on an exploited PC - in this case, it installed the Citadel Trojan, which steals banking credentials and other sensitive information.

NBC.com is one of North America's most popular sites, with a US Traffic Rank of 569 and more than 200,000 daily visitors. After discovering it had been compromised, NBC released the following statement in a blog post: "We've identified the problem and are working to resolve it. No user information has been compromised." Unfortunately, NBC's statement focuses only on access to data stored by NBC on its servers, not data stored on the users' computers, which is what the hack was designed to steal. As such, this seems like a rather short-sighted vision of the potential damage caused by a breach in NBC's security.

If you think your computer may have been compromised by the Citadel Trojan (or other malware / virus), run a scan of your PC as soon as possible using up-to-date security software - if you don't already have any installed, we recommend AVG Internet Security (or the free version AVG AntiVirus FREE 2013). If the scan reveals a threat, follow the on-screen prompts (also described here) and the software will often be able to repair your computer. If it does not, we suggest you contact the AVG Techbuddy Experts for further advice.

It's Time to Take Control

These cases prove that advice to stick to reputable websites to avoid cybercriminals is no longer fully valid - for sure, you'll be safer than if you browse the Internet's seedier destinations, but hacked sites are as common as ever and infected pages can be, as we see here, are being served from big-name sites that you would normally expect to be safe and secure.

Given that such sites are now being hacked on a regular basis despite substantial IT budgets, perhaps it is time to accept that cybercrime has reached a level of sophistication that means true online security is very hard to obtain. Certainly, responsibility for secure browsing increasingly falls on individual users, but they can at least help protect themselves by using tools that analyze HTML code in real-time, such as AVG LinkScanner.


The AVG Web Threats Research Team

 

Download a PDF version of this AVG Insight

 

If you'd like to be notified each month when a new AVG Insight is available, please send an email to insight@avg.com and we'll add you to the distribution list – and don't worry, we won't spam you with marketing emails!