AskMen website compromised, code injections leading to Caphaw infections

Nuclear exploit kit blamed for this latest attack

malware keyboard skull and crossbones

Researchers at Websense have discovered malware being served by, a popular portal dedicated to men. As an Alexa top 1000 website, the AskMen sees some 11.6 million visitors a month, offering the attackers a large pool of potential victims.

Websense discovered the compromise on Monday, and at the time of their report, the domain administrators have been told of the compromise, but hadn't acknowledged the reports.

Until the issue is resolved, it's best to avoid the domain altogether.

"The injected code has been found in multiple locations within the main website as well as in localized versions of it," Websense's researchers explained.

"When a user browses to the main website, the injected code loads automatically and silently redirects the user to a website serving the actual exploit code. The injected code is obfuscated and can be found at the bottom of legitimate JavaScript pages on AskMen's website."

Digging into the attack, Websense says that the website is attempting to use several exploits against visitors, and if successful, the victim is infected with the Caphaw Trojan. Caphaw is a malware family known to harvest banking credentials, as well as open the system to remote installation of additional malware. As a Trojan, it also allows a remote attacker to access the infected system at will.

So far, the malicious code will attempt to exploit Java and Adobe Reader. The obfuscation techniques employed in the code strongly tie the attack to the Nuclear exploit kit.

Given the amount of traffic that the AskMen website sees on a given day, until this is resolved, the potential attack surface could include tens of thousands of people.

While the exploits targeted have been patched by their respective vendors, not everyone has applied said patches. Moreover, given the inherent trust placed in known brands such as AskMen, most people wouldn't question the domain or any sudden redirects.

Websense has posted additional technical details on their blog.


On Twitter, the official AskMen account reached out, offering assurances that their team is investigating the report made by Websense. However, the message also noted that they hadn't received any contact from the security vendor.

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)