Malware, Network Security, Threat Management, Vulnerability Management

PBS’ Curious George site hacked to serve malware

Updated Friday, September 18, 2009 at 6:18 p.m. EST

The website for the popular children's television show "Curious George" was compromised this week to serve malware to visitors, according to researchers at web security vendor Purewire.

The site, which is run by  the Public Broadcasting Service (PBS), was propagating malware from at least Monday until Thursday, Nidhi Shah, research scientist at Purewire, told SCMagazineUS.com on Friday.

It is not clear how hackers were able to break into the site, but it is possible that they obtained the credentials to an FTP account or exploited an SQL injection vulnerability, Shah said.

During the time of infection, when users visited the "Curious George" site, they were greeted with a pop-up message notifying them that authentication was required and were prompted to enter a username and password, Shah said. If a user entered the wrong credential, or simply clicked "cancel," the site would display an error page that informed the user they failed to properly login.

Hiding behind the scenes of that error page, though, was malicious obfuscated JavaScript code placed by cybercriminals, Shah said. The JavaScript silently loaded malware from an exploit site that targeted a number of known software vulnerabilities in Adobe Acrobat Reader, AOL Radio AmpX and SuperBuddy and Apple QuickTime. If a user was not patched against these bugs, malware was installed.

“I don't know how many people encountered it,” Shah said. “Given how famous and popular this website is, I am sure it's quite a few.”

Kevin Dando, director of digital and education communications at PBS told SCMagazineUS.com on Friday that the situation has been "completely fixed."

“Internal triggers alerted us to the situation, and we addressed it,” Dando said.

Dando said PBS believes the number of people exposed to the malware was "very low" since they have not received any complaints from website visitors. But, he said this incident should serve as a reminder that any system can potentially be exposed to infection.

“Service providers must remain vigilant against threats and be prepared to act aggressively and be ready with pre-established procedures,” Dando said.

The trend of compromising legitimate websites to propagate malware has been gaining steam with cybercriminals, Shah said. In fact, infected websites were dubbed the single biggest threat during the first half of the year, according to security firm Sophos.

In early September, the BusinessWeek magazine website was infected with code that redirected visitors to malicious servers. And during the weekend, some online readers of The New York Times were served an advertisement for rogue anti-virus products after hackers, posing as employees from the telephone company Vonage, bought ad space directly from the newspaper.  

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.