IT security company Proofpoint researchers recently discovered that a large number of travel destination websites had been compromised with dangerous malware. The infected sites were detected after users received promotional emails from these sites containing links to infected pages. This is likely a highly effective campaign, since these were legitimate emails that users had typically opted-in to receive. The malware is hard to catch, with it bypassing all but four of the 51 antivirus products that Proofpoint tested.
Some of the promotional emails included references to 4th of July activities while others were general travel related content, so the attackers timed their activities to coincide with the summer travel season and the marketing activities that usually happen this time of year.
Initially about a dozen travel destination websites were identified as being compromised, but additional sites are still continuing to be discovered. What’s particularly worrisome is that these are popular sites that see a lot of organic web traffic, so anyone searching for information relating to tourism in a large number of US cities could have been exposed to the infected sites.
Find out what's happening in North Kingstownfor free with the latest updates from Patch.
For example, the Myrtle Beach website (www.visitmyrtlebeach.com) is the #2 search result on Google for “myrtle beach”.
When a user browsed to any of these websites they were exposed to multiple different exploits including exploits for Java and Adobe Acrobat. In this case, if the exploit is successful, it attempts to install at least three pieces of malware:
Find out what's happening in North Kingstownfor free with the latest updates from Patch.
Zemot – A downloader that downloads and installs additional pieces of malware.
Rovnix – A sophisticated bootloader/rootkit that launches the installed malware when the PC boots and then hides itself and other malware from detection.
Fareit – Also a downloader that also attempts to steal user credentials and can be used in DDOS attacks.
This attack was also clever about its choice of hostname for the site hosting the exploit kit. In this case they used what appears to be a travel related site, ecom.virtualtravelevent.org, helping make the exploit link blend in and look like legitimate content.
So far, all the IPs used in the attack appear to be based in the Ukraine.
Current list of infected websites:
www[.]visitsaltlake[.]com
www[.]visitcumberlandvalley[.]com
www[.]visitmyrtlebeach[.]com
www[.]visithoustontexas[.]com
www[.]seemonterey[.]com
www[.]visitannapolis[.]org
www[.]bostonusa[.]com
www[.]visitokc[.]com/
www[.]tourismvictoria[.]com
www[.]trenton-downtown[.]com
www[.]UtahValley[.]com
www[.]visittucson[.]org
www[.]visitrochester[.]com
www[.]visitannapolis[.]org
www[.]southshorecva[.]com
The hosting companies for these sites have been contacted, so some sites shown above might have been fixed. Other sites may have been infected and not discovered yet. If your computer is infected with malware, your personal data may be at risk. For your protection, you should contact an IT professional immediately.
-Gene Allsworth, Owner – Rhode Island PC (401) 484-7870
Rhode Island PC, 567 South County Trail, Suite 102, Exeter, RI 02822
