SBS Alert here:
http://www.sbs.com.au/article/124519/SBS-website-statement-July-18-2011
“Over the last 2 days, the SBS website has been the victim of a hacking attack.
This is the first time that the SBS site has suffered any sort of attack, however unfortunately, this is a common occurrence for many websites and organisations around the world.
While SBS has comprehensive safety measures in place across the site, this source has been able to enter the site on this occasion and has inserted a link to a third party ‘malware site’.
Users who may have inadvertently visited this third party malware site could then have had their machines infected with a virus depending on their security settings. SBS recommends that any site users who may be concerned about infection run a full security scan.
SBS would like to apologise to any of our site users who may have been affected by a virus.
Our digital team has been working throughout the weekend to rectify the problem and have now resolved the problem. Investigations are ongoing regarding how this issue occurred and what steps can be taken to ensure it does not happen again.
We will continue to keep you updated.”
According to Google Safe Browsing, the malicious domains implicated included manx.in, jongunn.gv.vg, sxkoubei.gv.vg, tppkuban.ru, zondgroup.com and hiddenseo.ru
sbs.com.au are by no means the only victims. A bit of digging finds other sites affected by related malicious domains, including bestoftexas.com, dnronline.com, hdtvmagazine.com, mcleodgaming.com, rxmuscle.com, cyclilngcentralshop.com, theworldgame.com.au, obsessedwithfilm.com.
I’ve been able to track down a blog entry describing what happened here. I quote:
“One of our computers was infected on Thursday night after visiting the Tour de France tracker page on the SBS website. The malware popped up an Adobe Flash upgrade box that was incredibly realistic. We both checked it and then clicked OK.
Things then went weird the following night when the tracker was revisited. The desktop disappeared and the computer opened random websites. I checked and there were strange processes. I tried to shut them down, but it didn’t work. The malware disabled the windows desktop and made all the files on the hard drive hidden, but didn’t actually delete them.
This computer had an up to date enterprise-managed anti-virus program installed. Somehow the malware got passed this and then proceeded to cause us trouble.”
Digging a little deeper, we find evidence that heraldsun.com.au was also affected by an attack on or about the 13th of July:
http://www.smh.com.au/business/news-apologises-for-website-virus-after-hack-attack-20110713-1hdeh.html#ixzz1SNGFxxRq
“The Herald & Weekly Times, publishers of heraldsun.com.au, can confirm that we did have a hacking attack on the Herald Sun web site on Monday July 11," he said. "The attack attached malware on some files on the site. … We have since addressed the issue, but we are not in a position to release any further details on the basis that it may provide information for further attacks,"
According to this forum conversation, Norton detected the heraldsun.com.au incident as Blackhole Toolkit. Blackhole Toolkit is a nasty piece of work that takes advantage of various security exploits and can be tied in with fake security software (see here). Interestingly, the Blackhole Toolkit has been implicated in the LinkedIn Spam emails I mentioned the other day.
It just goes to show, the miscreants behind all of these goings-on have their fingers in lots of different pies.
Google Safe Browsing gives no indication that there has been trouble at smh.com.au or heraldsun.com.au.