NBC hack infects visitors in ‘drive by’ cyberattack

Posted at 12:49 PM, Feb 22, 2013
and last updated 2013-02-22 12:49:54-05

By Julianne Pepitone

NEW YORK (CNNMoney) — Chances are, you know not to open that e-mail attachment from the “Nigerian prince” who wants to give you a hundred grand. But a hack of some sites on Thursday proves you can accidentally download malware even when visiting a reputable website.

The hack, which affected and related sites for “Late Night with Jimmy Fallon” and “Jay Leno’s Garage,” infected visitors to the compromised sites with the Citadel Trojan. The potent strain of malware is used for cyberespionage and to steal bank account information.

Infecting computers with malware when they navigate to a website is called a “drive-by download,” and cybersecurity experts say it’s a growing — and terrifying — attack technique. Users who are simply surfing the Web can unwittingly stumble upon a hacked website, which may look completely normal.

Security researcher Dancho Danchev, who wrote a detailed blog post about the attack,, told CNNMoney the hack was both invisible to the average user and tough even for security experts to track.

“The cybercriminals behind the campaign embedded invisible … elements on the main page, which they periodically rotated to prevent detection from security vendors and researchers,” Danchev said.

The tool used to inject malicious code into is called RedKit. It first popped up in May 2012, and it has reared its ugly head many times since, Danchev noted.

When a user clicks on a malicious Web site, RedKit checks whether the user is running outdated versions of software or browser plugins. If it does detect any outdated softwre, it exploits that weakness, installing malicious software on the user’s computer. (Typically, those weaknesses get fixed in newer versions of the software.)

While the identity of the cybercriminals isn’t yet known, Danchev said he found a link between the hack and a a group that spammed Facebook and Verizon Wireless customers last year, phishing for account information.

The security breach was a sophisticated attack, unlike the amateur hacks of the Burger King and Jeep Twitter accounts, which were were overtaken on Monday and Tuesday.