Threat Management, Malware, Network Security

Hairy situation: Just For Men website rigged to redirect to RIG Exploit Kit


Executives at Combe Incorporated may have sprung a few new gray hairs after learning that the website for its Just for Men brand of hair coloring products was compromised to serve up malware. 

Internet security firm Malwarebytes discovered on Sept. 16 that hackers had injected with obfuscated code in order to redirect site visitors to the RIG Exploit Kit, according to a blog post published by the IT security firm. The exploit kit, in turn, would then distribute the password-stealing Trojan Papras in a drive-by download-style attack.

After Malwarebytes disclosed the issue, Combe Incorporated quickly updated its website and appears to have remedied the compromise, the blog post further reported.

The code used to exploit the website was attributed to the ElTest campaign, an ongoing cybercriminal operation known for using a malicious, embedded Flash file to redirect victims to exploit kits – in this case, RIG, which Malwarebytes reported has recently surpassed Neutrino in popularity.

“We are still in the post-Angler [Exploit Kit] era, with different kits fighting for domination. RIG has grabbed distribution campaigns from Neutrino – namely EITest and pseudo-Darkleech, which are responsible for the bulk of traffic via compromised websites,” said Jerome Segura, blog post author and lead malware intelligence analyst at Malwarebytes, in an email interview with

The blog post noted that at the time the compromise was discovered, the Just For Men website was running an earlier, vulnerable version of the Yoast SEO plug-in for the WordPress content management system, but the admins have since updated the software to its current version. Most website compromises occur via exploited vulnerabilities in CMS software or their related plug-ins. reached out to White Plains, N.Y.-based Combe Incorporated and received the following corporate statement: “Combe was notified that its Just For Men website had been injected with malware. Immediately upon learning of this issue, we used Malware Bytes to scan for any infected website components or code, and promptly deployed a corrective patch to correct the issue. The issue was short-lived. We have received no reports from consumers experiencing an issue as a result of visiting our website and we are confident that this issue has been fully resolved.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.