Anatomy of a Compromised Site: 7,000 Victims in Two Hours

Earlier this year we discussed how Gizmodo’s Brazilian site was compromised and used to spread online banking malware to approximately 7,000 victims in a two-hour span. The site was compromised via WordPress plugin vulnerabilities that allowed the attacker to add a script that redirected users to a second compromised site, which eventually led users to download the malware.

These types of attacks are unfortunately common, but the underlying details may not be clear to all. Attacks like these are quite capable of delivering different payloads to users, depending on the system configuration of the target.

For example, in this attack, Firefox and Internet Explorer users were hit with a proxy auto-configuration (PAC) script that redirects some of the user’s Internet traffic through a malicious proxy. Chrome users get a malicious extension that is actually a copy of BOLWARE detected as BKDR_QULKONWI.GHR; this particular family targets certain features of Brazilian payment systems in order to carry out fraudulent schemes.

The video below describes how the attack was carried out. It shows how the site was compromised, the details of the attack, as well as a demonstration the capabilities of the payloads (particularly BOLWARE). This will hopefully let users become more aware of these threats and learn how to avoid them accordingly.

Our previous entries dealing with this topic are:

The SHA1 hash of BOLWARE mentioned in this post is: