Researchers at Zscaler discovered Wednesday that malefactors using the infamous Black Hole Exploit Kit had managed to compromise one of the USPS's Web sites.
The USPS National Customer Support Center, at ribs.usps.gov, has been taken down temporarily, to clean up the problem. At the moment Google still reports "This site may harm your computer", Firefox calls it a "Reported Attack Page", and other alert systems flag it as dangerous.
Zscaler's researchers tracked the entire process of the attack, which went through several stages. Initially, a string of Javascript was injected into the USPS page. This obfuscated code, when decoded and executed, inserted a reference to another Web site. That site, now offline, in turn redirected to a third site. According to Zscaler this final site has been implicated in other attacks.
While the exploit was active, visitors attempting to reach the USPS National Customer Support Center wouldn't have seen any of this. Instead, they would have gotten what appeared to be a standard 404 "not found" error page.
Behind the scenes this supposed error page was loaded with Javascript designed to detect the victim's operating system and browser type as well as the state of important components like ActiveX and Javascript. The embedded code used the profile information that it obtained to determine which of its possible attack payloads should be deployed.
This attack has been nullified, though you still can't visit the affected Web site. It's alarming, though, that a page belonging to a big-time institution like the USPS could be used as a vector for this sort of attack.
Posts
