Hacked US Treasury websites serve visitors malware

Lights on, no one home

Mon 3 May 2010 // 20:40 UTC

Updated Websites operated by the US Treasury Department are redirecting visitors to websites that attempt to install malware on their PCs, a security researcher warned on Monday.

The infection buries an invisible iframe in bep.treas.gov, moneyfactory.gov, and bep.gov that invokes malicious scripts from grepad.com, Roger Thompson, chief research officer of AVG Technologies, told The Register. The code was discovered late Sunday night and was active at time of writing, about 12 hours later.

To cover their tracks, the miscreants behind the compromise tailored it so it attacks only IP addresses that haven't already visited the Treasury websites. That makes it harder for white hat-hackers and law enforcement agents to track the exploit. Indeed, Thompson initially reported that the problem had been fixed until he discovered the sites were merely skipping over laboratory PCs that had already encountered the attack.

The attack is most likely related to mass infections that two weeks ago hit hundreds of sites hosted by Network Solutions and GoDaddy, said Dean De Beer, founder and CTO of security consultancy zero(day)solutions.

He made that assessment based on the observation that the compromised Treasury websites are hosted at Network Solutions and the owner of grepad.com is also the owner of record for most of the websites used in the earlier attacks.

"There's a very high probability that it's the same person," De Beer said. "The only things that are changing are the domains."

Earlier, Thompson speculated the attack might be the result of someone exploiting a SQL injection vulnerability on the Treasury websites. After investigating that possibility, De Beer said it was unlikely because the hacked Treasury sites contained static HTML pages that aren't susceptible to such exploits.

Media representatives at the Treasury Department didn't return a phone call seeking comment. ®

This posting was updated to include details linking the attacks to similar mass compromises that hit sites hosted by Network Solutions and GoDaddy.

More about

COMMENTS

TIP US OFF

Send us news

Topics

Special Features

Vendor Voice

Resources

Security

Hacked US Treasury websites serve visitors malware

Lights on, no one home

More about

TIP US OFF

Other stories you might like

Google squashes AI teams together in push for fresh models

SpaceX, Northrop Grumman reportedly working on US spy sat program

Sacramento airport goes no-fly after AT&T internet cable snipped

A different view from the edge

NASA solar sail to be Siriusly visible in orbit from Earth

Qt Ubuntu 24.04 betas show that there's room to innovate

AI energy draw from Chicago datacenters to rise ninefold

WhatsApp, Threads, more banished from Apple App Store in China

Unintended acceleration leads to recall of every Cybertruck produced so far

A quarter of 5-7 year olds now use smartphones, says regulator

Cybercriminals threaten to leak all 5 million records from stolen database of high-risk individuals

Germany cuffs alleged Russian spies over plot to bomb industrial and military targets

About Us

Our Websites

Your Privacy