NBC.com and Associated Sites Hacked and Serving Citadel Malware -UPDATES: Google, Facebook Blocking NBC Links

A Twitter tip (@zrotech) has us on to the breaking news of NBC.com being hacked and serving up Citadel malware.

A quick search turned up the following information on the Hitman Pro blog -

A few hours ago Ronald Prins of Fox-IT (@cryptoron) was tweeting about NBC.COM spreading malware. We were investigating this as well and found the following interesting facts.

There were two exploits links on the NBC website. The first one was on the main default (entry) page. And the second one was located onhttp://www.nbc.com/assets/core/js/s_wrapper.js

It serves both Java (CVE-2013-0422) and PDF exploits. The exploit drops the Citadel Trojan which is used for banking fraud and cyber-espionage. The Citadel malware communicates with the following server, which is already sinkholed:

hxxp://184.82.177.125/tr2002/file.php
hxxp://184.82.177.125/tr2102/file.php

An hour later the attack pages were swapped, which means the cyber criminals still have access to NBC’s pages,  (my emphasis) linking to e.g.:

hxxp://moi-npovye-sploett.com/qqqq/1.php
hxxp://nikweinstein.com/cl/google.php
hxxp://walterjeffers.com/ctuk.html
hxxp://barbecuechickenrecipes.org/ctuk.htm

 

Banking fraud and cyber espionage are giant threats in the world of malware.  With all the news recently of Twitter, Facebook, and Apple getting hacked, it is interesting that this big of an exploit has come up in the recent wake of those stories.  There have been accusations of a Chinese military-sponsored effort behind the biggest and most sophisticated cyber-attacks against this country.  We’ll update with all details as they become available.  In the meantime, don’t visit NBC.com if you can help it.

Update – The same source reports that Facebook is blocking links to NBC.com

UPDATE 2 -
Reports are coming in that this of course affects not only NBC’s subsites, but other sites like JayLenosGarage and Late Night with Jimmy Fallon.  Google is also reportedly blacklisting all NBC sites, which I have tested but haven’t seen yet.

Last Update – There are reports that the malware is no longer active and has been removed from the sites.   We’ll have a wrap-up on everything we can find out – what happened, how you can protect yourself and more as soon as possible.

About John Casaretto

SiliconANGLE's CyberSecurity Editor - Have a story tip or feedback? Please reach out to me! Security is as critical as ever and our mission is to uncover those stories that will help our industry be more secure.