The very popular Russian site Sprashivai[.]ru has been compromised and is silently redirecting users to the RIG Exploit Kit (EK). During our analysis we saw RIG EK drop the SmokeLoader (aka Dofoil) malware.
On June 20, 2016 the popular anime site Jkanime was injected with malicious code that was silently redirecting users to Neutrino Exploit Kit (EK). During our analysis Neutrino EK dropped and executed the CryptXXX 3.0 crypto-ransomware, and we were requested to pay 1.2 BitCoin (approximately $888 USD) in order to get our files back.
On 29/FEB/16 Forcepoint researchers saw that the popular entertainment news site missmalini[.]com was compromised and redirecting to a malicious web site. The timing coincides with awards ceremonies such as The Oscars, so users are likely to be searching for celebrity news. The infection chain we analysed resulted in our system being silently exploited by Angler Exploit Kit (EK). The Teslacrypt crypto-ransomware was then dropped and executed on our test machine.
The popular airline travel site yatra[.]com is currently (01 Feb 2016) redirecting users to Angler Exploit Kit (EK) via a compromised advertising script. The millions of users per month browsing to the yatra[.]com homepage are currently exposed to being redirected to code that silently drops and executes malware in the background by exploiting one of the latest Flash Player vulnerabilities.
Forcepoint Security Labs™ identified this week that a well known transport company's website had been compromised. We discovered that it was redirecting users to Angler Exploit Kit (EK). Forcepoint informed the company who were quick to respond and address the issue. Users browsing to the site were exposed to malware being silently dropped onto their system and executed in the background. When we analyzed the infection we saw that users were being redirected to Angler EK which was then exploiting CVE-2015-8651, affecting Adobe Flash Player versions up to 126.96.36.199 and 188.8.131.52.
It is the beginning of 2016. Most of us will be building our calendars around the year's public holidays. Many of us would of course use Google search to find these dates. But browsers beware, because one of the top results may result having your credentials and monies stolen by malware. The website in question: officeholidays[.]com, has been compromised and leads users to RIG exploit kit (EK).
Today, we came across a website providing free Christmas graphics along with an early but unwanted Christmas present. The website christmas-graphics-plus[.]com is injected with malicious code that leads users on a virtual sleigh ride to Angler Exploit Kit (EK) and drops the new CryptoWall 4.0 ransomware. If you were to visit this grotto, then all of your documents would be encrypted and held to ransom - including your Christmas card address book. The real Nightmare Before Christmas.