NBC Sports Website Compromised With Malicious Software
DigitalJournal.com has come to learn that the official Website of NBC Sports had been attacked with malicious software on March 19, 2008, according to security firm Websense.
Compromises of leading sports sites have occurred earlier as well. For instance, in February 2007, Websense Security Labs found that the official site of the Dolphin Stadium that was then hosting the Super Bowl was hacked into using malicious code with the intention to grab private information.
Websense Security Labs explained to DigitalJournal.com how the attack on MSNBC had also snatched control of several other high-profile sites.
Manager of Websense Security Labs, Stephan Chenette, told DigitalJournal.com on March 19, 2008, how the attack could place site users at risk. He explained how a visitor who accesses the site from any search engine would indicate his search query to the site. So, anyone who searches something by entering his text would allow the Website to learn the series of text of his search query and then, the site would embed that search request within its search space to get the visitor more accurate results.
However, according to Chenette, online attackers have taken advantage of Websites that use the Search Engine Optimization of NBCSportscom and have started making queries for the high-profile sites on search engines while attaching malicious iframes to those queries.
Sites like MSNBC Sports and ZDNet Asia would then accept those queries together with the iframe and set them on their site's search page. In carrying out this, the attacker doesn't have to hack the Website in order to implant malicious content on its page because the site does the job of its own.
Chenette added that the Search Engine Optimization attack is currently a major ongoing problem. So, it is important that MSNBC performs the content's input validation on receiving any from a search engine.
» SPAMfighter News - 02-04-2008