Certified Ethical Hacker’s website source of crypto-ransomware

A major security certification group ignored private warning messages from independent researchers saying they were spreading the TeslaCrypt malware.

Albuquerque, New Mexico-based EC-Council, a professional organization that manages the Certified Ethical Hacker program, was the source of the crypto-ransomware.

Researchers from the security firm Fox IT informed EC-Council of the breach. One of their online training programs – one that happened to train computer security students – was hacked by Angler; a program sold online that offers potent Web drive-by exploits.

A few days after not receiving a response from EC-Council, Fox IT published their findings – believing that going public would be for the greater good.

Resembling other drive-by attacks, the one that hit EC-Council was designed to be extremely difficult for researchers to duplicate. The ransomware focuses on Internet Explorer users who were redirected from Google, Bing, or other search engines.

EC-Council, a professional organization that manages the Certified Ethical Hacker program, was the source of the ransomware.

These aren’t the only specifics, as the ransomware also only victimises people from a specific geographic area or from a certain IP address. The EC-Council accounts of the victims then receive a code that sends their browser to a network of malicious domains that have the Angler exploits uploaded.

Fox IT adds that through this embedding, the victim is redirected several times to avoid, frustrate, or stop manual analysis and some automatic systems.

Once the victim has gone through all of the redirects, he lands on the Angler exploit page wherein his browser or plug-in gets exploited. The Angler exploit kit then finally downloads the payload onto the macine.

The redirect happens on the EC-Council site through PHP coding which then applies the redirect to the webpage. Fox IT also concluded that the vulnerability on the EC-Council site lies on the WordPress CMS it uses – a gateway for hackers to get in through weaker plug-ins.

TeslaCrypt demands each victim to pay 1.5 Bitcoin to regain access to their files, or approximately $622.

The EC-Council ransomware infection comes about a week after the BBC, The New York Times, and other big-name popular online publishers were victimized by malicious advertisements that tried to apply crypto-ransomware and other similar malware on devices of unsuspecting users.

It was also highly unusual for all these ad networks to be hit by these malicious applications. Google, AOL, and Rubicon, among others, have not released any statements or explanations how something this widespread could happen or if they have applied any counter-measures for possible future attacks.

Comprehensive multi-device protection for you and your family for up to 6 PCs, Macs, Android, and iOS devices. For more info click here.

Share on social media: