Researchers at Websense have discovered malware being served by AskMen.com, a popular portal dedicated to men. As an Alexa top 1000 website, the AskMen sees some 11.6 million visitors a month, offering the attackers a large pool of potential victims.
Websense discovered the compromise on Monday, and at the time of their report, the domain administrators have been told of the compromise, but hadn't acknowledged the reports.
Until the issue is resolved, it's best to avoid the domain altogether.
"The injected code has been found in multiple locations within the main website as well as in localized versions of it," Websense's researchers explained.
Digging into the attack, Websense says that the website is attempting to use several exploits against visitors, and if successful, the victim is infected with the Caphaw Trojan. Caphaw is a malware family known to harvest banking credentials, as well as open the system to remote installation of additional malware. As a Trojan, it also allows a remote attacker to access the infected system at will.
So far, the malicious code will attempt to exploit Java and Adobe Reader. The obfuscation techniques employed in the code strongly tie the attack to the Nuclear exploit kit.
Given the amount of traffic that the AskMen website sees on a given day, until this is resolved, the potential attack surface could include tens of thousands of people.
While the exploits targeted have been patched by their respective vendors, not everyone has applied said patches. Moreover, given the inherent trust placed in known brands such as AskMen, most people wouldn't question the domain or any sudden redirects.
Websense has posted additional technical details on their blog.
On Twitter, the official AskMen account reached out, offering assurances that their team is investigating the report made by Websense. However, the message also noted that they hadn't received any contact from the security vendor.
@SteveD3 Our team is looking into this, though we never received any emails from Websense.— AskMen (@AskMen) June 23, 2014
@SteveD3 If they did, we would know. They can reach me directly at firstname.lastname@example.org if anything.— AskMen (@AskMen) June 23, 2014