Security researchers from Websense Security Lab have discovered that the most popular science reference site called Popular Science has been hacked and redirecting visitors to a third-party domain containing the popular Rig Exploit Kit. Once the visitors visit this third party page, the Rig Exploit Kit malware is downloaded on their computers.

Popular Science website is owned by Bonnier Magazine Group which also brings publishes a magazine called Popular Science in addition to having a dedicated mobile App for it called PopSci.com.  The popularity of Popular Science can be guaged from the fact that it is translated into over 30 languages and goes out to at least 45 countries.  Though the exact number visitors to the PopSci website are not known, Alexa.com ranks it at 6297 globally and 2234 in the US.

Popular ScienceModus Operandi

Modus Operandi

The hackers injected the website with a malicious iFrame.  This automatically redirected the visitors of PopSci website to a third party domain hosting the RIG Exploit Kit. The same RIG Exploit Kit was used in the US Metro hack as well. 

Websense researchers stated that unlike most malwares that deploy a traffic distribution system to send users through a series of redirects before landing on the page hosting the exploit kit, Popsci is routing users directly to the infection. In fact this is the standard operating procedure of RIG Exploit Kit.  Websense said that this particular exploit kit was exploiting a Microsoft ActiveX bug (CVE-2013-7331 XMLDOM ActiveX control vulnerability) from 2013 in order to determine what if any antivirus product is running on the victim system. Websense found that the hackers had made exploit kit landing page heavily obfuscated to make analysis and detection more difficult.  Websense stated, As PopSci is very popular among students and fans, the infection rate of the malware was also found to be high.  As per Websense, 43% of all infections are in U.S., U.K. and Netherlands but the malware infections were found all over the world.

The compromise was discovered by researchers from the Websense Security Lab, who said they contacted the IT team at Popular Science and informed them of the breach. As Popular Science has not officially commented on the infection, it is not known whether the site has been patched as of yet.