Gizmodo’s Brazil regional site was in the news for being compromised earlier this year. It was a protuberant attack and the malware was spread to over 7000 within two hours. A malicious proxy auto-configuration script was added to the main Gizmodo Brazil page and the users were redirected to another compromised website which automatically downloaded a fake and malicious Adobe Flash file.
The anatomy of Gizmodo Brazilian attack published on Trend Micro shows that the website was compromised via WordPress plugin vulnerabilities. The internet Explorer and Firefox users were infected through a malicious script added to the main page of Gizmodo which eventually led to the fake installation of Adobe Flash file on their systems. This installation delivered the malware randomly and redirected some specific URLs to an HTTP Proxy owned by the attacker. Non-targeted users got “Page Not Found” error.
Chrome users were hit via malicious Flash Player Chrome extension which is detected as BKDR_QULKONWI.GHR BOLWARE which was hosted on Google Drive. This malware spread the online banking TROJAN and also target the Brazilian payments systems.
Trend Micro has released the detailed anatomy of the attack through this video which contains complete details of the attack and the capabilities of BOLWARE.
Do check the video carefully to know how Gizmodo Brazil users were compromised and avoid getting scammed with such attacks.