Popular Sports Site Goal.com Serves Malware

2011-05-03T19:05:02
ID THREATPOST:F143FEE5D0268A8FD7B954FDAD0944A7
Type threatpost
Reporter Brian Donohue
Modified 2013-04-17T20:08:50

Description

GoalcomGoal.com, a popular football (aka “soccer” for all us Yanks) news site was hacked and found serving malware via drive-by-downloads between April 27 and 28, according to a post by Web security firm Armorize.

In an analysis of the attack, Armorize
researcher Wayne Huang suggests that a hacker specifically targeted and
compromised Goal.com through a back-door that allowed the attacker to
manipulate the site’s content at will. Researchers at Armorize said the attacks appear to be specific to Goal.com, which ranks 379th on Alexa.com’s list of the world’s top Web sites. That suggests the compromise is not part of a mass SQL injection campaign.

According to the report, Goal.com was detected on April 27 and 28, 2011 serving up an iframe
attack that forwarded visitors to a rogue domain in the .cc top level
domain (TLD). That redirect was the first in a chain of events that
resulted in the delivery of a known exploit pack, g01pack that targets
attacks at the specific operating system and browser version the
Goal.com visitor is using. After exploiting the user’s browser, further malware, including a Trojan horse program were downloaded to the victim’s computer.

The
number of users compromised after they visited Goal.com isn’t known.
The site receives anywhere between 215,000 and 232,000 daily unique page
views, according to alexa.com.

As is often the case, the domains used to deliver the malware were not identified by AV products as malicious or blacklisted by Google’s SafeBrowsing feature, a fact that Huang claims fortifies the argument that these are targeted attacks.

According
to the post, Armorize scanners became aware of the attack when the
hacker responsible started testing injections at Goal.com. The browser
exploits used during the test were CVE-2010-1423, a Java vulnerability,
CVE-2010-1885 (Microsoft’s Help Center, as well as CVE-2009-0927 for
PDF, and CVE-2006-0003 affecting Microsoft’s MDAC.

The attacker used the go1pack exploit kit, which has a fake admin page used as a honeynet
for researchers, allowing the attacker to keep track of anyone
attempting to research his work. The exploit codes were also mutated to
avoid further detection.

Attacks such as this one represent a trend in malware distribution. Security researchers have noted for some time that reputable Web sites are high value targets for online scammers, who want to take advantage of their large visitor traffic and high search engine ranking. In February, 2010, Kaspersky Lab researchers reported that one in every 150 legitimate Web sites was hosting malicious content, leveraging holes in legitimate sites to push malware to their unsuspecting guests.