By: ThreatLabz

Redcross Site Hacked

Uncategorised

In this morning's logs I noticed that Zscaler detected malicious content within redcross-esc.org web-pages. Turns out that the site was a victim of a malicious iFrame injection, and I thought a short post on this would be a good follow-up from Umesh's previous post on hidden malicious iFrames.

redcross-esc.org belongs to the American Red Cross East Shoreline Chapter and is hosted on GoDaddy. Pages infected include:

 

  • hxxp://www.redcross-esc.org/gethelp/index.html
  • hxxp://www.redcross-esc.org/getinvolved/index.html
  • hxxp://www.redcross-esc.org/givemoney/index.html

Screenshot of malicious iFrame:
First stage decode:
Final decode writes iFrame to hxxp://foxionserl.com/:

Fortunately the foxionserl.com domain is not currently resolving, so the malicious page is not being pulled - Google results show that it had hosted a Adobe Acrobat PDF Reader exploit. Notifications are being sent to Redcross and GoDaddy.

 

Learn more about Zscaler.