TSA website link leads to Blackhole exploit kit
The AVG Web Threats research group has detected an obfuscated redirect on a page belonging to a vendor listed by the US Transportation Security Administration (TSA) web site.
Visitors following the link on a TSA page were also served exploits via a Blackhole exploit kit. AVG personnel alerted TSA and the vendor to the problem and the link has been removed.
The TSA page at http://www.tsa.gov/travelers/airtravel/assistant/locks.shtm contained an image-link to “Travel Sentry” service at http://www.travelsentry.org/.
The company appears to be Swiss judging by the whois contact information for its site.
Earlier in the day the injected script was different, though still detected by AVG, and led to http://walksquestionmark.in/404notfound.
Both of these exploit sites served up a packed script that redirected to a second packed script: an MDAC exploit which attempts to download and run an executable from the same server.
Obfuscated Blackhole script
AVG Web Threats Research Team
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.
Comments
No comments yet.
Sorry, the comment form is closed at this time.