Popular Science Website Redirects visitors to a Website Serving RIG Exploit Kit Malware

Security researchers from Websense Security Lab have discovered that the most popular science reference site called Popular Science has been hacked and redirecting visitors to a third-party domain containing the popular Rig Exploit Kit. Once the visitors visit this third party page, the Rig Exploit Kit malware is downloaded on their computers.

Popular Science

Popular Science website is owned by Bonnier Magazine Group which also brings publishes a magazine called Popular Science in addition to having a dedicated mobile App for it called PopSci.com. The popularity of Popular Science can be guaged from the fact that it is translated into over 30 languages and goes out to at least 45 countries. Though the exact number visitors to the PopSci website are not known, Alexa.com ranks it at 6297 globally and 2234 in the US.

Modus Operandi

The hackers injected the website with a malicious iFrame. This automatically redirected the visitors of PopSci website to a third party domain hosting the RIG Exploit Kit. The same RIG Exploit Kit was used in the US Metro hack as well.

“The website has been injected with a malicious iFrame, which automatically redirects the user to the popular RIG Exploit Kit,” Websense researchers wrote in a report. “The exploit kit launches various exploits against the victim which – if successful – will result in a malicious executable dropped on the user’s system.”

Websense researchers stated that unlike most malwares that deploy a traffic distribution system to send users through a series of redirects before landing on the page hosting the exploit kit, Popsci is routing users directly to the infection. In fact this is the standard operating procedure of RIG Exploit Kit. Websense said that this particular exploit kit was exploiting a Microsoft ActiveX bug (CVE-2013-7331 XMLDOM ActiveX control vulnerability) from 2013 in order to determine what if any antivirus product is running on the victim system. Websense found that the hackers had made exploit kit landing page heavily obfuscated to make analysis and detection more difficult. Websense stated,

This technique has been used by a number of exploit kits recently, most notably the Nuclear and Angler exploit kits. If the user doesn’t have any of the checked AVs installed, then the exploit kit proceeds to evaluate the installed plug-ins and their versions, in particular Flash, Silverlight, and Java. If a vulnerable plug-in is found, the appropriate exploit is launched.

As PopSci is very popular among students and fans, the infection rate of the malware was also found to be high. As per Websense, 43% of all infections are in U.S., U.K. and Netherlands but the malware infections were found all over the world.

The compromise was discovered by researchers from the Websense Security Lab, who said they contacted the IT team at Popular Science and informed them of the breach. As Popular Science has not officially commented on the infection, it is not known whether the site has been patched as of yet.