Sunday, November 19, 2017
Home / Malware / NBC.com Recovering from Citadel Compromise

NBC.com Recovering from Citadel Compromise

For a brief time on Thursday, NBC.com, as well as other brand-related domains, were hijacked and used to deliver malware to visitors. The broadcasting corporation is still working to determine how the compromise occurred and how long the malicious code existed on their Web-based properties.

The attack against visitors to NBC.com came from Iframes linking to the Citadel Trojan, which if successfully installed on a victim’s system, steals personal and financial information. NBC, in a statement to the media, claimed that no user data was stolen.

Yet, given that they do not control the Citadel C&C, and they don’t know where the attack originated from, they have no way of knowing how many users were infected and no way of knowing if sensitive information was stolen. Thus, they are either blissfully clueless, or they are only speaking to the Webservers and databases that were compromised.

In addition to Citadel, ZeroAccess was also discovered during research into the attacks. This malware moderates an affected user’s Internet experience by modifying search results, and generates pay-per-click advertising revenue for its controllers, according to research from security firm SurfRight (Hitman Pro).

The domains that were used in the attack, where Citadel and ZeroAccess were housed, were managed by the RedKit Exploit kit, enabling the attackers to rotate attack domains on an hourly basis.

In response to NBC’s security issues, Google and Facebook issued warnings or outright blocked access to the broadcaster’s domain – but these restrictions were lifted early Friday morning. NBC’s main domain was impacted, but domains for Jimmy Fallon’s TV show and a promotional page for Jay Leno were also hijacked.

Other than a brief statement to the media that the investigation in to the attack was ongoing, and no user information was stolen (which may not be true), NBC has made no further comments on the matter, but we’ll update this story if that changes.

Article originally seen on www.securityweek.com

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

New FastPOS malware targeting Point-of-Sale systems

Experts have disclosed a new category of malware, labeled “FastPOS,” that has the ability to quickly …