Italian-language page at MSN redirects to Cool Exploit Kit, serves ransomware

Last week, security researchers from AVG's Web Threat Research Group detected a malicious JavaScript on an Italian-language page at MSN that was dropping ransomware on the affected hosts. How trusted are high profile "trusted" Web sites?

Last week, security researchers from AVG's Web Threat Research group detected a malicious JavaScript on an Italian-language page at MSN, which was at the time redirecting to the Cool Exploit Kit, ultimately dropping ransomware on the affected hosts.

The high profile Web site infection, in terms of the huge traffic volume that was logically hijacked during the campaign, raises an important question--can you really trust those "Trusted Web Sites" that average and corporate users often think are secure by default? The truth is that you can't afford to "wait and see," and need to always assume the worst, for the sake of your data/host/network's CIA (Confidentiality, Integrity, Availability).

Throughout the years, cybercriminals have learned that it's easier and more efficient to inject malicious scripts on hundreds of thousands of Web pages, instead of targeting a few high profile Web sites. It's not that they don't want to. It's just more efficient and easy to utilize the "Long Tail" concept. Naturally, that entirely depends on the attackers in question.

For instance, this isn't the first time that pages within MSN's domain were serving malware to its visitors. Back in 2008, MSN Norway fell victim to a malvertising campaign, followed by a series of direct/indirect compromises of high trafficked Web sites throughout the entirety of 2009, affecting,, the New York Times, as well as many other high profile Web sites such as, CNN, BBC, Washington Post, GameSpot, World Of Warcraft, Mashable,,, AndroidCommunity, Engadget, and, proving that no one is safe. And although the media's attention is constantly emphasizing on the emergence of targeted attacks and cyber espionage campaigns, noisy mass SQL injection campaigns and traffic acquisition tactics relying on malvertising, are definitely not a thing from the past.

AVG has notified Microsoft, and the malicious JavaScript has been removed.

Do you think the time has come for the industry to admit that there's no such thing as a trusted Web site, and that users should always assume the worst by default? Do you maintain a list of trusted Web site, and what makes you think they're trusted enough to be allowed to run active content?

Find out more about Dancho Danchev at his LinkedIn profile.

Show Comments