NBC Cleans Up Site After Citadel Compromise

For a brief time on Thursday, NBC.com, as well as other brand-related domains, were hijacked and used to deliver malware to visitors. The broadcasting corporation is still working to determine how the compromise occurred and how long the malicious code existed on their Web-based properties.

The attack against visitors to NBC.com came from Iframes linking to the Citadel Trojan, which if successfully installed on a victim’s system, steals personal and financial information. NBC, in a statement to the media, claimed that no user data was stolen.

Yet, given that they do not control the Citadel C&C, and they don’t know where the attack originated from, they have no way of knowing how many users were infected and no way of knowing if sensitive information was stolen. Thus, they are either blissfully clueless, or they are only speaking to the Webservers and databases that were compromised.

In addition to Citadel, ZeroAccess was also discovered during research into the attacks. This malware moderates an affected user’s Internet experience by modifying search results, and generates pay-per-click advertising revenue for its controllers, according to research from security firm SurfRight (Hitman Pro). 

The domains that were used in the attack, where Citadel and ZeroAccess were housed, were managed by the RedKit Exploit kit, enabling the attackers to rotate attack domains on an hourly basis.

In response to NBC’s security issues, Google and Facebook issued warnings or outright blocked access to the broadcaster’s domain – but these restrictions were lifted early Friday morning. NBC’s main domain was impacted, but domains for Jimmy Fallon’s TV show and a promotional page for Jay Leno were also hijacked.

Other than a brief statement to the media that the investigation in to the attack was ongoing, and no user information was stolen (which may not be true), NBC has made no further comments on the matter, but we’ll update this story if that changes.