Popular Sports Site Goal.com Serves Malware

Goal.com, a popular football (aka "soccer" for all us Yanks) news site was hacked and found serving malware via drive-by-downloads between April 27 and 28, according to a post by Web security firm Armorize.

In an analysis of the attack, Armorize researcher Wayne Huang suggests that a hacker specifically targeted and compromised Goal.com through a back-door that allowed the attacker to manipulate the site’s content at will. Researchers at Armorize said the attacks appear to be specific to Goal.com, which ranks 379th on Alexa.com's list of the world's top Web sites. That suggests the compromise is not part of a mass SQL injection campaign.

According to the report, Goal.com was detected on April 27 and 28, 2011 serving up an iframe attack that forwarded visitors to a rogue domain in the .cc top level domain (TLD). That redirect was the first in a chain of events that resulted in the delivery of a known exploit pack, g01pack that targets attacks at the specific operating system and browser version the Goal.com visitor is using. After exploiting the user's browser, further malware, including a Trojan horse program were downloaded to the victim's computer. 

The number of users compromised after they visited Goal.com isn't known. The site receives anywhere between 215,000 and 232,000 daily unique page views, according to alexa.com.

As is often the case, the domains used to deliver the malware were not identified by AV products as malicious or blacklisted by Google's  SafeBrowsing feature, a fact that Huang claims fortifies the argument that these are targeted attacks.

According to the post, Armorize scanners became aware of the attack when the hacker responsible started testing injections at Goal.com. The browser exploits used during the test were CVE-2010-1423, a Java vulnerability, CVE-2010-1885 (Microsoft's Help Center, as well as CVE-2009-0927 for PDF, and CVE-2006-0003 affecting Microsoft's MDAC.

The attacker used the go1pack exploit kit, which has a fake admin page used as a honeynet for researchers, allowing the attacker to keep track of anyone attempting to research his work. The exploit codes were also mutated to avoid further detection.

Attacks such as this one represent a trend in malware distribution. Security researchers have noted for some time that reputable Web sites are high value targets for online scammers, who want to take advantage of their large visitor traffic and high search engine ranking. In February, 2010, Kaspersky Lab researchers reported that one in every 150 legitimate Web sites was hosting malicious content, leveraging holes in legitimate sites to push malware to their unsuspecting guests.

Commenting on this Article is closed.