Well this hits pretty close to home… According to technology firm Invincea, the websites for DC-based WTOP and FederalNewsRadio were compromised and have been exploiting Java and Adobe browser add-ons to distribute fake antivirus software. The website for tech pundit John Dvorak was affected as well. Thanks to @thomashoffecker for pointing this out to us.
The Invincea post contains a very detailed analysis of the malware in action as well as several detection signatures (i.e., Snort, Mandiant IOC, NetWitness rules). We’re unsure if the sites are still infected but it’s best to be safe than sorry and avoid them for now.
On the evening of May 6th, it was reported that wtop[.] and federalnewsradio[.] were compromised and redirecting user traffic to an Exploit Kit serving the same FakeAV malware variant that was affecting visitors to dvorak[.]org over the weekend. We had visited the Dvorak site and conducted a thorough analysis of the infection and were preparing to blog about the same when this discovery was made. WTOP is the largest radio station in the Washington DC metropolitan area by marketshare and is an all-news radio station. FederalNewsRadio is a sister news station targeted to reach the Federal workforce. Dvorak is a tech blogger/pundit. All three sites are known to have been compromised to infect their visitors with browser-based exploits of third party plug-ins including Java and Adobe. In the case of WTOP, the potential risk is a large number of their visitors may get compromised. In the case of FederalNewsRadio, the target audience is the Federal employee; therefore compromising FederalNewsRadio[.] is effectively setting a watering hole attack site for Federal employees. These are all media sites that are we know to have been compromised over the last several days. This is likely an indicator of a larger more widespread attack against online media sites.
Today’s post pic is from HubbardRadio.com. See ya!