Updated on June 24, 2014 at 4:50pm ET to reflect comments from AskMen.com.
Hackers have compromised AskMen.com, a men’s interest website on dating, celebrity news, and health – and they could be infecting thousands of users with malware, according to security researchers at Websense Inc.
While Websense researchers are still investigating how this happened, the most likely scenario is that hackers were scanning for popular sites for vulnerabilities. After finding one on AskMen.com, they launched a cross-site scripting attack and injected malicious code into a number of places on the site, as well as on localized versions of it.
The malicious code would then redirect AskMen.com visitors to a place where they would download Caphaw, a type of malware that allows hackers to automatically steal banking credentials and other kinds of crucial personal data. It also could let them bridge themselves onto a victim’s network. The exploit works if the site visitor is using an outdated version of Java or Adobe Reader, and all of this happens in the background, meaning site visitors who aren’t equipped with antivirus might never realize their systems are infected.
And considering AskMen.com is an Alexa-rated site, garnering more than 10 million visits every month, this could be really risky for people heading over to that site, said Alex Watson, director of security research at Websense.
While he couldn’t give an estimate of the number of people who may have downloaded the malware, he estimated it was “in the thousands,” and added it would probably primarily affect site visitors based in Canada, the U.S., and the U.K.
“We saw a fair amount of traffic on Monday morning … and we blocked every incident we saw, but it would very difficult to judge globally,” Watson said. “I can’t comment on how successful this particular campaign would be.”
Websense researchers first noticed the code injections on AskMen.com on June 21, when their analytics picked up on some code obfuscation techniques on the site. They alerted AskMen.com’s host master early Monday morning, but they haven’t heard back yet, Watson said.
“We have a pre-established policy to reach out to a compromised site and give them a period of time before going public. But really, the largest risk at this point was to our customer base,” he said.
“So there’s an Alexa-rated website that’s serving malicious content to anyone that visited the site. So I think you’re weighing wanting to allow the company to handle their security issue with the risk to customers. We decided to go out and protect people who might be visiting their website.”
In the meantime, he recommended that businesses and website owners who want to protect themselves from the same fate need to ensure they have a strong web security solution, which protects the web gateway against inbound threats.
For its part, AskMen.com said it hasn’t noticed an attack.
“We’ve done a thorough investigation and there is no evidence of any malware. We take security issues very seriously and we have multiple measures in place to protect our users. We’re also in contact with the vendor who purported to see evidence of an attack,” a spokesperson for the company said via email.
A story on Threatpost.com reported a AskMen.com spokesperson as saying the site had not received any messages from Websense, nor had its developers found any malware.
