The Nuclear Exploit Kit
Recently there has been a new piece of malicious code floating around otherwise known as the Nuclear exploit kit. This kit has been deployed by a number of travel websites that have been compromised. It was discovered by security researchers Proofpoint after customers had received promotional emails from legitimate businesses whose emails they had signed up to receive. These emails contained links to the infected websites.
Some of the promotional emails included references to 4th of July activities while others were general travel related content, so the attackers timed their activities to coincide with the summer travel season and the marketing activities that usually happen this time of year.
The websites are popular sites that see a lot of organic web traffic, so anyone searching for information relating to tourism in a large number of US cities could have been exposed to the infected sites.
When a user browsed to any of these websites they were exposed to the Nuclear exploit kit that integrates multiple different exploits including exploits for Java and Adobe Acrobat. In this case, if the exploit is successful, it attempts to install at least three pieces of malware.
*Editor's Note* You should still update Java when prompted to as updates do fix current issues.
Going on vacation?
So far, all the web addresses used in the attack appear to be based in the Ukraine.
Current list of infected websites:
www[.]visitsaltlake[.]com
www[.]visitcumberlandvalley[.]com
www[.]visitmyrtlebeach[.]com
www[.]visithoustontexas[.]com
www[.]seemonterey[.]com
www[.]visitannapolis[.]org
www[.]bostonusa[.]com
www[.]visitokc[.]com/
www[.]tourismvictoria[.]com
www[.]trenton-downtown[.]com
UtahValley[.]com
www.visittucson[.]org
www[.]visitrochester[.]com
www[.]visitannapolis[.]org
www[.]southshorecva[.]com
(It was written like this so as to not generate clickable links. If you really want to, visit at your own risk.)
There are no links to click on for your computer to become infected while on the site. If you are on the site alone this will infect your computer. Because of the way this infection enters your computer, the attack won’t be recognized or blocked by most anti-virus, firewall, or Internet Security software. Even Malicious Web Site Blocking in Internet Security software is likely to treat these as legitimate sites, unless they analyze the actual behavior taking place on your computer when you go to those sites.
The hosting companies for these sites have been contacted, so some sites shown above might have been fixed.
If you have any questions regarding this or any other virus/malware/rootkits please contact us. We are happy to help.
We also have a guide to protecting your computer and how to stop browser hijacking. Click on the image below to receive the guide.
