A week ago (on Monday, January 20), as well as on January 14, 11, and 10, Hasbro’s website pushed malicious software to visitors’ computers. As with the Cracked.com compromise a week prior, the incident was the result of direct site compromise, and affected users were unlikely to have recognized that their computers were infected. For reference, below is a screenshot of Barracuda Labs’ malicious URL detection environment after a successful attack.
No smiles during this visit to Hasbro’s website.
The chain of redirects that began at Hasbro’s front page and ended with the installation of malicious software on visitors’ computers were as follows.
-> hxxp://www[.]hasbro[.]com/<redacted> (xMultiple)
—> hxxps://stats[.]jusybes[.]pw/<redacted> (xMultiple)
—-> hxxp://ahnc[.]blockscheine[.]com/redacted (xMultiple)
The second request to stats[.]jusybes[.]pw is notable as HTTPS is used to obfuscate the resulting redirection to ahnc[.]blockscheine[.]com, which serves several Java exploits. Upon successful exploitation, a payload is installed that is not well detected (both Symantec and Trend flag the malicious executable as benign).
Given the frequency with which Hasbro's website has recently served drive-by downloads, Barracuda Labs recommends that users refrain from visiting the site until its operators have confirmed it is again safe.
An archive containing packet capture (PCAP) files that show the sequence of events for drive-by downloads originating from Hasbro.com for January 20, 14, 11, and 10 can be downloaded
Christine Barry est blogueuse en chef et responsable des réseaux sociaux chez Barracuda. Son travail consiste à rédiger des articles captivants en lien avec les services Barracuda et à faciliter la communication entre le public et les équipes internes. Avant de rejoindre Barracuda, Christine a été ingénieure de terrain et chef de projet dans l'éducation et auprès de PME pendant plus de 15 ans. Elle est titulaire de plusieurs diplômes technologiques, d'une licence de l'université du Michigan, et d'une maîtrise en administration des affaires.
Connectez-vous avec Christine sur LinkedIn.