Pre-Christmas browsers get more than they were angling for

Tempting collection of free Christmas images lures 60,000 users into Angler exploit kit sleigh ride. Destination: CryptoWall 4.0.

Not everything is ho-ho-ho at Christmas (Terry Pratchett's The Hogfather)
Not everything is ho-ho-ho at Christmas (Terry Pratchett's The Hogfather)

Watch out for unexpected guests dropping in this Christmas. A website offering free seasonal graphics has been injected with malicious code, according to Raytheon|Websense.

The malicious code, said Websense, leads you on a virtual sleigh ride to the Angler Exploit Kit before dropping CryptoWall 4.0 ransomware down your cyber-chimney.

The compromised website is christmas-graphics-plus[.]com which offers free Christmas graphics – plus a little bit more.

Websense estimates that the site, which has grown in popularity in the past few months, has targeted up to 60,000 users.

A malicious traffic direction system (TDS) is hidden in an HTML iframe within the site. The TDS determines whether a user should be forwarded to more malicious code based on the browser user-agent, IP address and referring website.

Websense said that someone using Microsoft IE might be targeted whereas another browser might not.

From the TDS, the user is directed to the Angler landing page which determines which vulnerabilities to target. If successful, it will download CryptoWall 4.0 ransomware.

Websense said this is an example of the growing sophistication of malware attackers, in this case laying out a smorgasbord of tempting Christmas freebies to lure the unprotected.

Carl Leonard, principal security analyst at Raytheon|Websense, said: “Anyone that ignores using adequate protection or refuses to update to the latest software remains particularly vulnerable to these sorts of attacks, which don't require any user interaction. Software updates are for life, not just for Christmas, so it is vital that users and companies are always up to date.”