Cyphort Labs discovered a new attack campaign that links to malicious exploits from hijacked DNS servers of personal wedding websites. Personal wedding websites are used to aid in planning and communicating important details for a couple’s upcoming wedding. In this attack, it appears DNS on these wedding sites were exploited. Attackers created new two letter DNS entries and pointed them to Russian IP addresses hosting the RIG exploit kit.
Specifically, here are some of the wedding websites used in this campaign:
All of these websites were created by Rob Cross, a wedding videographer.
This attack campaign started on September 28 and is still ongoing as of the time of posting this blog. It works as follows:
2) Second site is redirecting to the malicious payload destination via IFRAME
3) The malicious payload destination is hosted on the Russian IP which the hijacked DNS entry of the wedding web sites points to
This method saves the attacker from registering new domains.
|START||www.sidar.org [do not visit ]|
In this case, sidar.org is the popular website that is injected with a SCRIPT and the user is redirected.
The redirection to malicious EK landing page is achieved via IFRAME on the pdhi-online.org site.
Karimitch.com is a wedding website which DNS has been exploited.
The hosting IP addresses for the EK sites are all hosted in Russia:
- 126.96.36.199 (Moscow, McHost.RU)
- 188.8.131.52 (Moscow, MTW)
- 184.108.40.206 (St Petersburg, IT Grad)
- 220.127.116.11 (St Petersburg, IT Grad)
All of these sites are hosting the RIG exploit kit. RIG became the most popular exploit kit used in the wild since the demise of Angler. See Cyphort webinar on the rise and fall of Angler.
Here are the screenshots of the encrypted and decrypted versions of RIG scripts.
Over 2 million people are potentially at risk, as they visit the sites infected in this campaign. Here is the list of the infected sites, together with estimated monthly visits per SimilarWeb :
AVOID VISITING THESE WEBSITES
363,000 – www.doentesporfutebol.com.br
327,000 – www.dicasdetreino.com.br
266,000 – www.agilemind.com
260,000 – www.sexchan.info
197,000 – www.fulanax.com
180,000 – www.thehollywoodnews.com
161,000 – www.newshub.org
82,000 – www.xorbin.com
69,000 – www.quran-o-sunnat.com
54,000 – www.turboincomesecret.com
43,000 – www.masterbundles.com
40,000 – www.mubs.ac.ug
39,000 – www.mountainsmith.com
31,000 – www.a2zwebhelp.com
22,000 – www.modeltheme.com
21,000 – www.titanicthemes.com
20,000 – www.1stonlinesolutions.com
12,000 – www.vagtune.in
Over 5,000 weddings take place every day in the United States. According to Quora, a custom wedding website could cost as high as $2,000 dollars. It is important to remember to secure your wedding website and its DNS properly so it is not abused by cybercriminals.