DigitalJournal.com has learned the official site of NBC Sports was compromised with malicious code yesterday. Security firm Websense Security Labs explained how an attack on MSNBC has also compromised dozens of other high-profile websites.
Digital Journal -- Malicious attacks, hacks, viruses and spyware are the bane of the Internet. Just ask NBCSports.com, whose website was attacked and infected by malicious code yesterday.
The malicious JavaScript iframe attack injects itself into the source code of websites. When a user opens the compromised site, his or her browser dishes out a series of exploits designed to gain access to their computer.
The exploit was picked up by
Websense's ThreatSeeker, a technology that scans more than 600 million websites per week to look for bogus code. Stephan Chenette, Manager of Websense Security Labs, told DigitalJournal.com this automated scanning is what found the malicious code on MSNBC.
The malicious attack is not new. Other sites such as ZDNet, archive.org, wired.com and history.com have also been compromised by the malicious code in the past. MSNBC is also not the first sports site to be attacked -- the official website of the Dolphin Stadium (host to the Super Bowl at the time) was compromised in Feb. 2007, according to Websense. The malicious code involved in that attack was designed to steal private information of casual web surfers.
- Photo courtesy Websense
DigitalJournal.com has learned MSNBC was the latest victim of mass javascript injection after a link to a malicious JavaScript file was inserted into the website's source code (see below).
- Photo courtesy Websense
The attack was found by security firm Websense, who explain the attack puts visitors at risk; when a visitor hits the site, a malicious script is executed to gain access to their computer.
Websense says many sites have not been compromised per se, but "have become victims of incorrect search engine input validation which resulted in malicious content being embedded in their page."
Chenette told DigitalJournal.com when a user visits a site from a search engine, that site will learn the exact search query the user typed to get to their site. So if you are looking for "Toronto Maple Leaf news" the website will learn the string of text you searched for and will embed that query in the site search to get you more accurate results.
"Malicious attackers have exploited sites that use this search engine optimization (SEO), and have begun using search engines to query for high-profile sites, appending malicious iframes to their query," said Chenette. "Sites such as ZDNet Asia and MSNBC Sports are then taking that query along with the malicious iframe, and embedding it within their own site. In doing this the malicious authors don't need to compromise the website to place malicious content within the page. The sites are doing it themselves."
When a Web wanderer hits an infected page, the iframe is activated and the user is automatically redirected to a malicious website that attempts to gain access to their computer.
So how does a website stay protected against growing threats? Websense says sites must validate untrusted input so malicious active content cannot be embedded.
When asked for comment, MSNBC issued a statement to DigitalJournal.com reading: "Yesterday, msnbc.com was alerted about a Web page on NBCSports.com that was compromised. The JavaScript iframe attack was launched on several major sites according to a Websense report. Within minutes of learning of the issue, msnbc.com quickly and successfully secured the singular page that was affected. The issue has been resolved and consumers have been logging onto NBCSports.com without experiencing any problems."
"Currently this search engine optimization input validation attack is an ongoing large problem," said Chenette from Websense. "MSNBC should be performing input validation of the content passed from the search engines. Expect to hear of more large big name sites falling victim to this attack in the next few weeks."
