Connect with us

Hi, what are you looking for?



Popular Media Websites Compromised to Deliver Malware to Visitors

Several media sites, including two Washington, DC-based radio stations, have been compromised to infect unsuspecting visitors’ systems with fake antivirus software. 

Several media sites, including two Washington, DC-based radio stations, have been compromised to infect unsuspecting visitors’ systems with fake antivirus software. 

The Christian Post, Real Clear Science, and Real Clear Policy appear to also have been compromised, according to researchers at Zscaler ThreatLabz. Invincea researchers said the exploit kit served up the same fake antivirus, which infected visitors to, belonging to popular blogger John Dvorak, over the weekend.

Users who have visited using Internet Explorer in the past 36 hours may have been affected, according to a statement from WTOP. Visitors using other Web browsers such as Chrome, Firefox, or Safari, should not be affected.

“We are working diligently to contain and stop the attack, and apologize for any inconvenience this has caused,” WTOP said.

Internet Explorer users are currently being blocked from seeing WTOP “to help protect you and prevent any further damage,” according to the statement. The same measures appear to be in place at

As of this morning, WTOP was still serving up the malware. “Do not browse to this site until further notice,” wrote Eddie Mitchell, a security engineer at Invincea, in the company’s analysis of the attack.

Shortly after visiting the site that had been compromised, Internet Explorer attempts to launch a Java application from a suspicious URL, Invincea researchers found. After the process executes, it creates a shortcut on the Desktop named “Internet Security 2013” to point users to a popular fake antivirus scam.

Advertisement. Scroll to continue reading.

The malicious code relied on exploits targeting vulnerabilities in Java and Adobe Reader to install the fake antivirus, Mitchell said.

The flaws have all been patched a while ago (Oracle has released several other updates since its January patch), so users should make sure to download and install patches in a timely manner.

Oracle patched the Java 7 flaw, namely a security manager bypass vulnerability affecting the Java Runtime Environment (CVE-2013-0422) back in January. The input validation issues (CVE-2009-0927) and the other vulnerability which can cause a denial of service condition (CVE-2010-0188) affected Adobe Reader and Acrobat 9 and earlier.

Users who may have been infected should run a scan on their computers using a legitimate security tool as soon as possible.

The malicious code was injected into the wp-config.php file for the WordPress content management system on, Mitchell said. It is not known how the sites were initially compromised, or where the malicious code was injected on WTOP and Federal News Radio sites.

Mass compromises are “now the norm,” Zscaler’s security resaercher Chris Mannon wrote in the company’s write up of the attack. Attackers comb the Web looking for popular sites with a specific application vulnerability and then exploit the flaw in order to inject malicious code. The legitimate, but compromised, site now can infect all users visiting the site.

In the case of Federal News Radio and WTOP, the malicious code executed and redirected to a malicious IFRAME only when the visitor was using Internet Explorer, Mannon said. WTOP and FederalNewsRadio delivered fake antivirus scams and ZeroAccess Trojans to victims, Mannon said.

“This is likely an indicator of a larger more widespread attack against online media sites,” Invincea’s Mitchell said. While may have just been an opportunistic attack and not specifically targeting the site’s users, Federal News Radio’s target audience happens to be federal employees. Compromising may be part of a watering hole attack, Mitchell said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.