• United States



by Staff Writer confirms server breach after Google flags them for malware

Oct 25, 20133 mins
Application SecurityCybercrimeData and Information Security

In the wake of yesterday's flagging, confirms that two of its servers were compromised

Hours after Google’s Safe Browsing initiative flagged the website for malware, confirmed that two of their servers were compromised and used to attack visitors. However, the administrators are still not sure how the attackers accessed the servers.

[ flagged for malware by Google, researchers confirm it was no false positive]

The admission follows a lengthy debate over whether or not Google incorrectly flagged the domain, and after several people connected to said they could find nothing malicious about the file in question, a JavaScript that was determined to have been altered in order to embed malicious iFrames.

According to Google’s initial report on Thursday, there were only four pages on serving the malicious JavaScript file (userprefs.js), which was modified with seemingly selective obfuscated code that targeted desktop users, but ignored those on mobile devices. However, the stance that Google was wrong in their assessments has since changed:

“… the systems team have audited every server operated by, and have found that two servers were compromised: the server which hosted the, and domains, and was previously suspected based on the JavaScript malware, and the server hosting The method by which these servers were compromised is unknown at this time,” a status update on explained.

Further, the SSL certificate used on was revoked out of caution, and a new one was assigned a short time after. All affected services on the two compromised servers have been migrated, and it has been confirmed that the Git repository was not compromised.

Long before the admission of a breach, security experts were certain that Google’s flag was no false positive. Barracuda Labs released a pcap (packet capture) file, showing clear signs of malicious activity, including malicious Shockwave (Flash) files being delivered after the JavaScript in question was loaded. Later in the evening, Fabio Assolini, from Kaspersky Labs, reported that the iFrame created by the JavaScript was pointing to an installation of the Magnitude Exploit Kit, and it was attempting to drop an information-stealing Trojan called Tepfer.

Additional research from Trustwave’s Spider Labs confirmed the Shockwave (Flash) exploit attempt, but they also discovered that the script was targeting CVE-2013-2551, an Internet Explorer flaw discovered by exploit clearinghouse VUPEN during this year’s Pwn2Own competition at CanSecWest.

[Poor design fosters hacker attacks of websites running PHP]

It’s unknown how many users may have been infected by the rogue JavaScript, but says the malicious code was active from October 22, until it was discovered and removed on October 24. The attack window is small, but is in the top 250 domains on the Internet, according to Alexa rankings, so the pool of potential victims is massive. user accounts will have their passwords reset over the next few days, if the account is used to commit code to any projects. A full post-mortem of the incident is expected sometime next week.