250+ US News Websites Hijacked to Spread Malware

[rcmaehl]

Summary

Multiple News websites were used to distribute fake web browser updates that contained malware.

 

Quotes

Quote

Threat actors are using the compromised...media compan[ies] to deploy the SocGholish JavaScript malware... (also known as FakeUpdates) on the websites of hundreds of newspapers across the U.S. The threat actor... (tracked by Proofpoint as TA569) has injected malicious code into a benign JavaScript file that gets loaded by the news outlets' websites. This malicious JavaScript file is used to... infect those who visit the compromised websites with malware payloads camouflaged as fake browser updates. "Proofpoint Threat Research has observed intermittent injections on a media company that serves many major news outlets. This media company serves content via Javascript to its partners," In total, the malware has been installed on sites belonging to more than 250 U.S. news outlets, some of them being major news organizations. Proofpoint says it knows of affected media organizations (including national news outlets) from New York, Boston, Chicago, Miami, Washington, D.C., and more. Proofpoint has previously observed SocGholish campaigns using fake updates and website redirects to infect users, including, in some cases, [with] ransomware payloads.

 

My thoughts

While BleepingComputer and other sources aren't commenting on which Network(s) was hijacked, it looks like atleast a network that begins with an F and rhymes with Box based on a few anecdotal pieces of evidence elsewhere. Thankfully it's not as much of the World Wide Wild West anymore and most browser malware requires social engineering, so I'm hoping not a lot of people were affected.

 

Sources

Tech Crunch

Security Week

Bleeping Computer (quote source)

 

[IPD]

Would we even know the difference if the Corporate Media was suddenly spamming out fake?  That seems like an average Tuesday....

[Sauron]

Might be a good idea to run noscript or turn on ublock's js blocker on sites that don't strictly require js for the time being. And in general, really - if it doesn't need js it's a good idea not to use it.

1 hour ago, rcmaehl said:

it looks like atleast a network that begins with an F and rhymes with Box based on a few anecdotal pieces of evidence elsewhere.

I'll take the malware over visiting that one  

5 minutes ago, IPD said:

Would we even know the difference if the Corporate Media was suddenly spamming out fake?  That seems like an average Tuesday....

well yes, we can tell the difference between dishonest reporting and literal malware.

[Biohazard777]

@rcmaehlIMO you should have included this in your post:

Quote

“If the victim downloads and executes this ‘fakeupdate’ they will be infected by the SocGholish payload,” said DeGrippo. “This attack chain requires interaction from the end user at two points: accepting the download and executing the payload.”

[Quackers101]

one of the reasons I hate the information block on consumers.

Where its hard to find version number, know which ones that count and what is legit.

file size etc, and the path way for the download. A lot of things and dates that are often hidden from consumers to be seen before downloading.

[Kisai]

8 hours ago, rcmaehl said:

Summary

Multiple News websites were used to distribute fake web browser updates that contained malware.

 

Quotes

 

My thoughts

While BleepingComputer and other sources aren't commenting on which Network(s) was hijacked, it looks like atleast a network that begins with an F and rhymes with Box based on a few anecdotal pieces of evidence elsewhere. Thankfully it's not as much of the World Wide Wild West anymore and most browser malware requires social engineering, so I'm hoping not a lot of people were affected.

 

Sources

Tech Crunch

Security Week

Bleeping Computer (quote source)

 

News sites need to stop running garbage ads then.

 

BTW, most news sites, just blocking the core js library like react.js or jquery is enough to kill all the ads.

[TetraSky]

Is there an actual list of affected websites?

[Forbidden Wafer]

In other news, javascript is cancer.

Not really javascript's fault, its the remote code execution part that really kills everything. 

[captain_to_fire]

On 11/5/2022 at 2:48 AM, rcmaehl said:

an F and rhymes with Box

The harbinger of “fair and balanced” gossip and tea

[IPD]

5 hours ago, captain_to_fire said:

The harbinger of “fair and balanced” gossip and tea

I love CNN.  They will tell you precisely what happened/is happening.  All you have to do is figure out who/whom is actually doing that stuff.

[Franck]

And google that want to give access to your hard drive and actual component from javascript. Love those news. I want more and more reinstall netscape 2.8

[Mark Kaine]

honestly,  i don't get it, fox box?  

 

On 11/7/2022 at 6:59 AM, captain_to_fire said:

The harbinger of “fair and balanced” gossip and tea

oh

 

Spoiler

but foxnews doesn't rhyme with "box"

 

Spoiler

honestly,  i know what fox news is, but its not something in my daily life, being in europe and all...