News Categories
(34)Malware (39)Malicious emails (11)Web 2.0 (24)Facebook (22)Social Networks (44)Spam (2)Defensio (1)Comment Spam (15)Phishing (9)Web spam (4)Click-jacking (38)Compromise (20)Analysis (38)Exploits (14)Research (3)Presentations (3)Conferences (4)security conference (9)Mass Injection (10)Rogue AV (4)Blackhat SEO (2)Neosploit (23)Targeted attacks (7)Video (14)Zeus (5)Microsoft (4)Monthly Reports (1)twitter (3)Google (18)Vulnerabilities (9)Adobe (12)Java (4)Mobile (4)Apple (1)hacked (1)TAB (1)Black Hat USA 2011 (1)Google+ (20)0-day (1)CVE-2010-2884 (1)CVE-2011-1255 (1)Worm (14)Blackhole exploit kit (1)Incognit Exploit kit (2)Tuesday Patch (6)APT (6)Typosquatting (3)Vulnerability Analysis (1)CVE-2011-3402 (4)Web Research (4)Predictions (3)Adult (5)News (3)Black Hat SEO (6)Data loss (8)Scam (1)QR codes (6)Twitter (1)CVE-2012-0003 (1)CVE-2011-3389 (1)CVE-2012-0004 (1)Phoenix Exploit Kit (1)CrimePack (3)Reverse Engineering (2)Captcha (1)Valentine's day (2)Kelihos (1)SC Magazine Award Winner (1)Wordpress (1)MS12-010 (1)CVE-2012-0002 (1)Infosec (2)CVE-2012-0507 (8)Toolkits (1)Skywiper (2)Flame (1)Flamer (2)Passwords (1)freedom of expression (1)censorship (2)Plugins (3)Malvertising (14)Exploit (1)CVE-2012-1723 (1)CSI (2)ThreatSeeker (2)Adventures in Spam (1)CVE-2012-4681 (1)LBS (2)RAT (1)module Apache/2 (1)Cyber Monday (1)Black Friday (1)Pastebin (4)CVE-2012-4792 (1)iPad (1)super bowl (1)iPhone (2)iOS (4)Spear Phishing (1)Threat Report (3)ThreatScope (1)Dynamic DNS (1)China (1)SSL (1)APT1 (2)DLP (3)Hack (1)CVE-2012-4969 (2)threat lifecycle (1)ThreatSeeker Network (1)ACE (10)exploit kit (1)blackhole (2)Black Hole (1)DNS poisoning (1)RedKit Exploit Kit (4)exploit kits (1)threat stages (1)Certificates (1)Topical (1)Waterhole (1)CVE-2013-2463 (1)Neutrino exploit kit (1)CVE-2013-2473 (1)CVE-2013-3893 (2)Collective Threat Intelligence (1)CVE-2013-3963 (1)Targeted Attack (3)Advanced Malware (1)CVE-2013-3897 (1)Tor (5)cyber-crime (1)Mevade (2)Ransomware (3)Social Engineering (1)CookieBomb (2)LinkedIn (1)CVE-2013-3906 (2)Pony (3)Cryptolocker (2)Upatre (1)application telemetry (1)meta-data (3)dr. watson (1)windows error reporting (1)big data (2)data theft prevention (1)DTP (1)telemetry (2)CVE-2014-0322 (2)MSIE 0-day (1)Deputy Dog (1)Ephemeral Hydra (1)CVE-2013-0074 (1)CVE-2013-3896 (1)Silverlight (2)crash reports (1)POS (1)anomaly detection (1)goon (4)angler (1)ru:8080 (1)magnitude (3)flash (1)CVE-2013-2465 (1)malicious iframes (1)FIESTA (1)Exploits Kit (1)iframe (3)CVE-2014-0160 (2)OpenSSL (3)Heartbleed (3)Citadel (2)CVE-2014-1776 (1)VGX.DLL (1)necrus (1)cutwail (2)gameover (3)vulnerability (3)zbot (1)control panel (1)carberp (1)zberp (1)Caphaw (2)Nuclear exploit kit (1)Shylock (1)Dragonfly (1)Zeus PIF (1)bitly (1)fraud (2)RIG Exploit Kit (1)POS malware (1)Point Of Sale Malware (1)Ukraine (1)Russia (1)Shellshock (1)CVE-2014-6271 (1)poodle (1)cve-2014-3566 (1)sslv3 (1)Ebola (1)CVE-2014-4114 (1)CPA (1)Regin (1)CVE-2015-0311 (1)CVE-2015-0235 (1)linux (1)GHOST (1)CVE-2015-0072 (1)Internet Explorer (1)XSS (1)IE (1)TorrentLocker (1)Product Information (1)Money Laundering (1)APSA10-05 (1)Skype spam
RSS Feed

Websense® ThreatSeeker® Intelligence Cloud has detected that the official website of AskMen (at ), a popular free online men's web portal, has been compromised and injected with malicious "drive by" code that appears to be part of a mass-injection attack. According to, AskMen's website has more than 10 million visitors each month. The injected code redirects a user to a website serving exploit code, which subsequently drops malicious files on the victim's computer.


Websense Security Labs™ has contacted the host master of with a notification regarding the compromise.


Update: We've been working with Ziff Davis' web security team regarding the compromise, as of today (7th July 2014) we verified with our processes that the website is clean when checked at 14:00 BST and does not serve malicious code. This is not a guarantee the website will continue to be clean. We will continue to monitor the website and update the blog if needed. 



AskMen's main page as of 23 June 2014: statistics for AskMen:



Websense customers are protected from this threat with ACE, our Advanced Classification Engine, at the following stages:


  • Stage 2 (Lure) - ACE has detection for the compromised websites.
  • Stage 3 (Redirect) - ACE has detection for the injected code that redirects the user to the exploit page.
  • Stage 4 (Exploit Kit) - ACE has detection for the malicious code that attempts to execute this cyber-attack.
  • Stage 5 (Dropper Files) - ACE has detection for the binary files associated with this attack.
  • Stage 6 (Call Home) - Communication to the associated C&C server is prevented.





The injected code has been found in multiple locations within the main website as well as in localized versions of it, like When a user browses to the main website, the injected code loads automatically and silently redirects the user to a website serving the actual exploit code. The injected code is obfuscated and can be found at the bottom of legitimate JavaScript pages on AskMen's website.


The injected code on AskMen's website:


How DGA is used to redirect the user


The obfuscation used here is a simple base64 encoding, which can be easily de-obfuscated to a Redirect to a website generated by its domain generation algorithm (DGA) as well as the DGA itself.


De-obfuscated JavaScript code:



What the above code does is basically this: It takes the current date (year, month, and day) and uses a CRC32 algorithm as a hash function to hash that data, which ends up being the domain name. This means that a new domain will be generated everyday, and as we know how the algorithm works, we can easily predict future domains. For example, the domains that will be generated in the next 7 days (from 24 to 30 June) can be seen below.


Exploit page URLs from 24 to 30 June:



The Redirect takes the unsuspecting user to a heavily obfuscated page serving a Java exploit (most likely CVE-2013-2465) and also an Adobe PDF reader exploit.


The exploit page:



Java exploit:





Nuclear Pack Exploit Kit


The exploit page displays similar obfuscation techniques, which are often used in the Nuclear Pack exploit kit. In addition, the above mentioned Java exploit is most often used by Nuclear Pack. These facts strongly indicate that the attacker is using either the Nuclear Pack exploit kit or a variant of it.

The similarities between the obfuscation methods can be seen below. For example, note how the eval() function is obfuscated when some color name is inserted in the middle of the string. The page uses this as the default background and the string is removed dynamically at runtime. So "eblackval" will successfully be evaluated as "eval".


AskMen exploit page:


Nuclear Pack exploit kit page:





Once the target is successfully exploited, the infamous malware Caphaw is dropped, allowing the attacker unfettered access to the victim's computer. 


Websense ThreatScope identifies the dropped file as "Suspicious":

Here is the full ThreatScope Report.




As we can see, even very popular websites are not immune to malicious code injection attacks. An attack of this scale can potentially infect tens of thousands of unsuspecting users due to the nature of the attack and the high popularity of the website.


Blog Contributor: Elad Sharf

Read more »