The website of a New Mexico-based security certification provider EC-Council which administers certified ethical hacker qualifications has reportedly been spreading TeslaCrypt ransomware via Angler exploit kits.
Researchers at the security firm, Fox IT, said they spotted the EC-Council site redirecting users to the ransomware and attempted to privately notify the firm of the problem, but said no corrective action was taken, according to a Mar. 24 blog post on Fox IT’s site.
“We first observed the redirect on Monday around 3pm GMT but we suspect it might have been there for a longer period of time,” the post said. Fox IT did not say whether or not EC-Council was spreading the ransomware on purprose.
“The website was compromised in an automated way, it was not targeted,” FoxIT Senior Threat Intelligence Analyst Yonathan Klijnsma told SCMagazine.com via emailed comments.
Klijnsma said the site was compromised via a vulnerable third party plug-in in its WordPress installations and it is unclear why it took EC-Council so long to correct the issue.
He added that it has been safe to visit the site using a Chrome browser on all devices since last week.
In order to be redirected to the exploit kit certain conditions must be met including, the visitor must use Microsoft IE, arrive from a major search engine, and have an IP address that is not blacklisted or belonging to a blocked geolocation, researchers said.
UPDATE: This article has been updated to include comments from Yonathan Klijnsma.