Updated @ 8PM PST 5/3/2010 — Added Information about Rogueware and two additional government sites affected

Time and time again we talk about how amateur and professional hackers alike are able to use automated toolkits which can identify security vulnerabilities on a computer and exploit them with little or no technical skill necessary for the cyber criminal.  The  spirited script kiddies behind these kits have been running  havoc on the Internet, as many of the kits available can be downloaded in underground forums for free.   Today, we came across an embedded iframe inside of the Department of Treasury website.   This iframe (pictured below) is used to silently load one of the elenore exploit kits main URL’s, which in turn determines what’s the best available exploitation method for the browser accessing the site.

US Treasury - Injected iframe
US Treasury Website – Injected iframe

Upon accessing the US Treasury website (treas.gov, bep.gov, or moneyfactory.gov), the iframe silently redirects victims through statistic servers and exploit packs which will carry the victim onto the second stage of the attack.

US Treasury Website Hack (Session Log)
US Treasury Website Hack (Session Log)

In my case, the exploit kit figured that Java was the best method of infecting my test machine,  although several exploitation methods (mainly PDF) are used by these kits.    It’s still unclear what the original entry point was into the US Treasury website, and I don’t suspect that the US Government will release detailed report about the compromise, but these threats usually make their way onto websites that have outdated server software, web applications, and/or through web application security vulnerabilities such as SQL injection.

After you are infected, your web browser will start redirecting you to ads and other nasty things, such as Rogueware:

Rogueware spread by US GOV website

I would like to use this post to remind you all to update your web applications and web servers just as frequently as you would your own computer. Doing so will help prevent your website from being hacked and used to propagate these threats on the Internet.  You, your visitors, and many others browsing the Internet will remain one step closer to a safer browsing experience on the Internet.