Researchers warn about schemes that lead to FlashPack exploit kit
Security researchers have spotted two different online schemes that lead to pages hosting the FlashPack exploit kit.
The first one relies on users visiting a compromised SourceForge sub-domain, where a JavaScript file redirects them to the website equipped with the exploit kit, which pushes on them a malicious Flash file that exploits a vulnerability to download and install a variant of the Carberp trojan.
Malwarebytes’ Jerome Segura doesn’t say how the users are lured or redirected to the compromised site.
The second scheme is centered around a specific add-on that adds social media sharing buttons to websites.
The add-on in question comes in the form of a few lines of JavaScript code that has to be added to the site’s code, and can be freely downloaded from the add-on’s website.
The problem is that for the add-on to function as intended, a JavaScript file from the home page of the add-on is loaded.
“This alone should raise red flags: it means that the site owner is loading scripts from an external server not under their control,” pointed out Joseph Chen, a fraud researcher with Trend Micro.
“It’s one thing if it loads scripts on trusted sites like Google, Facebook, or other well-known names; it’s another thing to load scripts on little-known servers with no name to protect.”
And, as it turns out, this particular script is malicious. “On certain sites, instead of the original add-on script, the user is redirected to the script of FlashPack,” Chen notes, adding that one of these sites is a free blogging site popular in Japan.
As before, the exploit kit serves Flash exploits which, if successful, download the Carberp trojan on the victim’s computer.
According to Trend Micro, some 66,000 users – mostly in Japan – have been successfully targeted with this last scheme.
Among the vulnerabilities exploited by the kit is the CVE-2014-0497 Flash vulnerability that has been patched earlier this year. Unfortunately, a lot of people aren’t good at keeping their software updated.