Popular Japanese blog platform affected by malicious redirections
Exploits and vulnerabilities | News | Threats

Popular Japanese blog platform affected by malicious redirections

Posted: September 11, 2014 by Jérôme Segura

Our honeypots caught drive-by downloads that appeared to stem from Ameba, a popular Japanese blogging and social networking site.

Upon further review we found out that they came from a particular user page rather than the blog’s official homepage ameblo.jp, which is a good thing as it reduces the scope of the attack.

Let’s dig in and review the URLs involved in this infection. The traffic flow is quite typical in that the original site itself is not compromised but links to a domain that is (read more about this infected server (Linux/Cdorked.A malware) on the StopMalvertising blog).

page

Fiddler HTTP traffic overview:

Fiddler

Here is the script that references the compromised URL (ceskyfousekcanada.com/bottom2.js):

linktocesky

This site performs a conditional redirect. If you visit the URL directly, you get a legitimate piece of JavaScript. However, if you have the right referer, you get the malicious code:

conditionalredirect

That URL gets us onto a RIG Exploit Kit landing page. In our case, we were served the following:

Upon successful exploitation, a payload is dropped and executed. The threat is detected as Backdoor.Bot by Malwarebytes Anti-Malware (VT link).

MBAM

It’s always better to detect an attack before it has a chance to drop its payload. We visited the Japanese blog while running Malwarebytes Anti-Exploit and were protected:

AntiExploit

Any website is a good website from a hacker’s point of view but those that generate a lot of traffic have an obvious attraction.

Interestingly, there is no need to try and compromise top-ranked websites because they often rely on third-party sources for various reasons (additional plugins, widgets, etc.).

This is especially true when content is created by end users who might inadvertently insert risky links.

For this reason, attackers may study carefully external requests made from popular websites and try and hack into those instead.

Why try and go after well guarded top domains when you can pick up the easier ones? The end result is the same: millions of visitors are exposed to malware.

@jeromesegura

RELATED ARTICLES

leaking bucket in the cloud
News | Privacy

4.8 million healthcare records left freely accessible

December 13, 2024 - Care1, a Canadian healthcare solutions provider left a cloud storage instance freely accessible and unencrypted for anyone to find.

CONTINUE READING 0 Comments
patched Apple
Apple | News

Update now! Apple releases new security patches for vulnerabilities in iPhones, Macs, and more

December 12, 2024 - Apple has released security patches for most of its operating systems, including iOS, Mac, iPadOS, Safari, and visionOS.

CONTINUE READING 0 Comments
data brokers have lots of location data
News | Privacy

Data brokers should stop trading health and location data, new bill proposes

December 12, 2024 - Senators introduced a bill to stop data brokers from trading in health and location data and enable the FTC to enforce the new rules

CONTINUE READING 0 Comments
TikTok logo
News | Privacy

TikTok ban in US: Company seeks emergency injunction to prevent it

December 10, 2024 - TikTok has requested an emergency injunction to stop or postpone the planned ban on the platform in the US.

CONTINUE READING 0 Comments
Matrix encrypted messaging service seized
News | Privacy

Encrypted messaging service intercepted, 2.3 million messages read by law enforcement

December 9, 2024 - Authorities were able to intercept the Matrix messaging service’s traffic and monitor criminal activity for three months.

CONTINUE READING 0 Comments

ABOUT THE AUTHOR

Jérôme Segura

Jérôme Segura

Sr Director, Research

Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams