NBC.com Websites Hacked to Spread Citadel Banking-Theft Malware

The rampage of hackers, purportedly out of China, have set their sights on large U.S.-based websites in what could turn into a hacking-spree seeking sites like NBC.com, which is suspected to have spread malware after being attacked this week.

The NBC.com site was hacked Thursday hit by what is believed to be a drive-by-download attack where malware is downloaded onto computers that simply visit the hacked site. Although the problem was resolved in a relatively quick manner, experts believe that many visitors to the site could have had their computer infected with malicious software identified as a variation of the Citadel Trojan.

The media is in a whirlwind of reports that hackers are busier than ever in an attempt to hack various large entities in the United States. So far, it is believed by experts that these hackers, potentially gangs out of China or Eastern Europe, have set their eyes on a multitude of large websites and have been successful with attacks on Facebook, Twitter, Apple and now NBC.com.

It is rather a stark coincidence that President Barak Obama announced new efforts to ramp up cybersecurity in the U.S. just last week in the State of the Union Address. Could hackers have taken the cybersecurity call by the President as a reason to make their attacks now?

Analysis of the recent NBC.com site hack has uncovered the malware being spread was known as a newer variation of the Citadel Trojan, a treacherous Trojan primarily used by criminals for pilfering online banking data and cyber-espionage. At the time of the NBC.com hacking, while infecting computers visiting the site, many security firms warned computer users not to visit NBC's site at the moment, in addition to other NBC.com sites, such as Lake Night with Jimmy Fallon, Jay Leno's garage and others. The particular version of the Citadel Trojan is not a widely detected malware threat. In fact, it was said by the Dutch security firm Fox-IT on a blog post, "This version of Citadel is only recognizable by 3 out of the 46 antivirus programs on virustotal.com."

With this type of Citadel Trojan on the loose, we could easily see future attacks lead to an outbreak of an aggressive banking theft threat. Moreover, attackers are making use of exploit kits like the RedKit threat and Citadel crimeware toolkit to target PCs in an effort to steal U.S. financial institution account details. Many of these targeted financial institutions include some of the largest banks in the United States, such as Bank of America, Chase, USAA, Citibank, American Express, Schwab, Fifth Third Bank, Wells Fargo and others.

The video below, posted on Huffingtonpost.com as the attack took hold of the NBC.com site, is a news report of how the malware may have spread on the hacked NBC web pages, in addition to how similar hacking attacks have perpetuated across the U.S. recently.

Those who used the Google Chrome browser, with built-in malware detection features, were served a 'Danger: Malware Ahead!' warning screen (figure 1. below) instead of loading the infected site. Some affected computer users could have thought such a screen was related to the rash of Java attacks served up by hackers recently. Although this is plausible, it is yet another coincidence that the NBC.com hacking attack coincides with Oracle and Adobe releasing patches for several critical vulnerabilities found in Java, Reader and Acrobat.

Figure 1. Google Chrome browser displaying 'Danger: Malware Ahead!' notice when visiting NBC.com site during hacking on February 21, 2013.

For now, the NBC.com site has recovered from the hacking incident, and site visitors are no longer in danger of having their computer infected with malware. Currently, experts are still examining what exactly took place with the attack on NBC.com, possibly to learn what to expect in the next rash of attacks.