Executives at Combe Incorporated may have sprung a few new gray hairs after learning that the website for its Just for Men brand of hair coloring products was compromised to serve up malware.
Internet security firm Malwarebytes discovered on Sept. 16 that hackers had injected JustForMen.com with obfuscated code in order to redirect site visitors to the RIG Exploit Kit, according to a blog post published by the IT security firm. The exploit kit, in turn, would then distribute the password-stealing Trojan Papras in a drive-by download-style attack.
After Malwarebytes disclosed the issue, Combe Incorporated quickly updated its website and appears to have remedied the compromise, the blog post further reported.
The code used to exploit the website was attributed to the ElTest campaign, an ongoing cybercriminal operation known for using a malicious, embedded Flash file to redirect victims to exploit kits – in this case, RIG, which Malwarebytes reported has recently surpassed Neutrino in popularity.
“We are still in the post-Angler [Exploit Kit] era, with different kits fighting for domination. RIG has grabbed distribution campaigns from Neutrino – namely EITest and pseudo-Darkleech, which are responsible for the bulk of traffic via compromised websites,” said Jerome Segura, blog post author and lead malware intelligence analyst at Malwarebytes, in an email interview with SCMagazine.com.
The blog post noted that at the time the compromise was discovered, the Just For Men website was running an earlier, vulnerable version of the Yoast SEO plug-in for the WordPress content management system, but the admins have since updated the software to its current version. Most website compromises occur via exploited vulnerabilities in CMS software or their related plug-ins.
SCMagazine.com reached out to White Plains, N.Y.-based Combe Incorporated and received the following corporate statement: “Combe was notified that its Just For Men website had been injected with malware. Immediately upon learning of this issue, we used Malware Bytes to scan for any infected website components or code, and promptly deployed a corrective patch to correct the issue. The issue was short-lived. We have received no reports from consumers experiencing an issue as a result of visiting our website and we are confident that this issue has been fully resolved.”