DailyMotion Hacked, Visitors Redirected to Exploit Kit
DailyMotion, the French video-sharing website was hacked and visitors viewing the website were redirected to the Sweet Orange Exploit Kit.
June 28, DailyMotion was comprised sending all of it’s visitors to an exploit kit that takes advantage of vulnerabilities found in Flash Player, Internet Explorer, and Java. If the vulnerabilities were successfully exploited during the campaign, pay-per-click malware was then downloaded onto the victim’s computer, Symantec reported. As of now, DailyMotion is safe to visit and no longer serving the exploit kit.
Researcher believe attackers targeted the website as it has huge potential, being ranked as the number 90 most popular website in the world by Alexa web traffic data aggregator. The website could comprise a substantial amount of computers with malware through the campaign. Symantec security team reports they only found the DailyMotion attack to be affecting users located in the United States and Europe.
Cyber criminals crafted the attack by injecting an iframe into DailyMotion’s website which redirected users to a website serving malicious files. The website visitors finally landed on what was reported to be a, ‘highly obfuscated’ webpage, serving the Sweet Orange Exploit Kit.
The exploit kit from there scanned for vulnerable plugins found on the machine and injected accordingly. Sweet Orange Exploit Kit is notorious for exploiting:
- Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-2551)
- Adobe Flash Player Buffer Overflow Vulnerability (CVE-2014-0515)
- Oracle Java SE Remote Java Runtime Environment Vulnerability (CVE-2013-2460)
If Sweet Orange Exploit Kit successfully exploited or injected any malware, then Trojan.Adclicker was downloaded to victim’s computers. The following malware forces victims computers to generate faulty traffic to pay-per-click (PPC) online advertisements generating revenue for attackers.
DailyMotion has since removed any malicious code found on the website, but did not state how long the exploit was served, only when attackers successfully exploit the target.