PBS' Curious George site hacked to serve malware
The website for the popular children's television show "Curious George" was compromised this week to serve malware to visitors, according to researchers at web security vendor Purewire.
The site, which is run by the Public Broadcasting Service (PBS), was propagating malware from at least Monday until Thursday, Nidhi Shah, research scientist at Purewire, told SCMagazineUS.com on Friday.
It is not clear how hackers were able to break into the site, but it is possible that they obtained the credentials to an FTP account or exploited an SQL injection vulnerability, Shah said.
During the time of infection, when users visited the "Curious George" site, they were greeted with a pop-up message notifying them that authentication was required and were prompted to enter a username and password, Shah said. If a user entered the wrong credential, or simply clicked "cancel," the site would display an error page that informed the user they failed to properly login.
“I don't know how many people encountered it,” Shah said. “Given how famous and popular this website is, I am sure it's quite a few.”
Kevin Dando, director of digital and education communications at PBS told SCMagazineUS.com on Friday that the situation has been "completely fixed."
“Internal triggers alerted us to the situation, and we addressed it,” Dando said.
Dando said PBS believes the number of people exposed to the malware was "very low" since they have not received any complaints from website visitors. But, he said this incident should serve as a reminder that any system can potentially be exposed to infection.
“Service providers must remain vigilant against threats and be prepared to act aggressively and be ready with pre-established procedures,” Dando said.
The trend of compromising legitimate websites to propagate malware has been gaining steam with cybercriminals, Shah said. In fact, infected websites were dubbed the single biggest threat during the first half of the year, according to security firm Sophos.
In early September, the BusinessWeek magazine website was infected with code that redirected visitors to malicious servers. And during the weekend, some online readers of The New York Times were served an advertisement for rogue anti-virus products after hackers, posing as employees from the telephone company Vonage, bought ad space directly from the newspaper.