On June 28, the popular video service Dailymotion was hacked to redirect its users to the Sweet Orange Exploit Kit. This exploit kit exploits vulnerabilities in Java, the Internet Explorer, και του Flash Player. Εάν τα τρωτά σημεία των παραπάνω εφαρμογών αξιοποιηθούν με επιτυχία ένα pay-per-click malware κατεβαίνει στον υπολογιστή του θύματος. Από αυτή την εβδteam, Dailymotion is no longer infected as security technicians have successfully eliminated the threat.
The attackers managed to break Dailymotion by injecting an iframe into its website. Let's recall that Dailymotion is at the top of Alexa's list and is on 100's most popular websites. So the attackers could potentially infect several malware computers with this attack. The attack hit mainly Dailymotion visitors from the US and Europe.
How did the attack work?
Attackers with the injected iframe on the Dailymotion website were able to redirect users to a different website. This site in turn sent users to a page containing the Sweet Orange Exploit Kit (Symantec has awakened it from 2013)
Exploit Kit can detect vulnerable plugins on the user's computer and use the exploits they need. Sweet Orange exploits the following known vulnerabilities:
- Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-2551)
- Adobe Flash Player Buffer Overflow Vulnerability (CVE-2014-0515)
- Oracle Java SE Remote Java Runtime Environment Vulnerability (CVE-2013-2460)
If the Exploit Kit manages to successfully exploit any of the above vulnerabilities, then it downloads Trojan.Adclicke to the victim's computer. This malware forces the infected computer to click on pay-per-clicks in order to generate revenue for the attackers.