The website for Just For Men, a company that sells various products for men as its name implies, was serving malware to its visitors. Our automated systems detected the drive-by download attack pushing the RIG exploit kit, eventually distributing a password stealingÂ Trojan.
In this particular attack chain we can see that the homepage of justformen[.]com has been injected with obfuscated code. It belongs to the EITest campaign and this gate is used to perform the redirection to the exploit kit. EITest is easy to recognize (although it has changed URL patterns) for its use of a Flash file in its redirection mechanism.
RIG EKÂ has now taken over Neutrino EK as theÂ most commonly used and seen toolkit in the wild. Neutrino EK, which had been the contender to Anglerâ€™s top spot has been relativelyÂ quiet lately.
We replayed the attack in our lab as shown in the video below. For more details and a traffic capture, please scroll down to the technical section of this post.
We reported this incident to Combe, the parent company for Just For Men. Between the time we collected our traffic captureÂ and writing of this blog, we noticed the site had changed. As of now, the siteÂ isÂ running the latest version of WordPress according to this scan from SucuriÂ and does not appear to be compromisedÂ any more. Most website infections have to do with either the content management system (CMS) or one of its plugins being out of date.
Hereâ€™s at least one difference we noticed between our archived capture and the current version of the site:
The Yoast SEO plugin had been updated from version 3.07 (vulnerable) to version 3.5 (current version). Itâ€™s possible this was the vector of infection, but without access to the server logs, this is purely an assumption.
Hereâ€™s what happened when the site was still compromised: