Fiesta Exploits Kit Targeting High Alexa-Ranked Site

Websense® Security Labs™ researchers, using our Websense ThreatSeeker® Intelligence Cloud, have identified a new malicious attack targeting hxxp://www.mapsofworld.com/, a high Alexa-ranked site in the top 10,000 most visited sites. The site has been compromised and injected with malicious code.

 

The infection utilizes an iframe redirection method that redirects users to suspicious Dynamic DNS URLs hosted on different providers:

 

 

The iframe redirects users to a malicious website hosting the Fiesta exploit kit. During the first few hours of the attack, we have noticed several different URLs being used by the attackers.

 

 

Once the user visits the site, a popup window displays and asks the user to click to get more information from Java support. 

 

 

The iframe leads the user to a redirection loop on the same Dynamic DNS subdomain and eventually ends up with the exploit kit automatically installing a malicious file onto the computer without the user's knowledge.

 

 

 

This injection was hard to spot as the injected code seems to fluctuate. One minute it’s there; the next minute, it’s not. This is where Websense Advanced Classification Engine (ACE) plays a great role in blocking the threat in real time as the threat appears. Unlike other solutions using static defenses that mirror what you have, ACE in the Cloud provides unique real-time defense assessments for security, data, and content analysis. Webpage content, active scripts, exploit code, obfuscated commands, and web redirects are analyzed in real time along with malicious files, PDFs, and executables. ACE combines seven security defense assessment areas that work together in a predictive composite scoring defense against advanced threats and targeted attacks as they emerge.

 

Websense Security Labs has observed a number of other high Alexa-ranked sites being targeted in the past few days:

hxxp://www.mapsofindia.com/

hxxp://www.ffonts.net/

hxxp://submityoursite.com/

hxxp://mappery.com/

hxxp://www.siteinspector.com/

hxxp://dgreetings.com/

hxxp://charge.com/

 

 

Top countries affected are the U.S., India, and the United Kingdom.

 

Websense customers are protected from these and other threats by the Websense Advanced Classification Engine.