Beware of these US news websites! They are spreading malware

If you love reading news, especially the kind available in the US, then BEWARE! These US news websites are being used by hackers to spread malware to your phones and systems. Several new techniques are being used to spread malware. As per the latest details, compromised infrastructure of an undisclosed media company is being used to deploy the SocGholish JavaScript malware (also known as FakeUpdates) on the websites of hundreds of newspapers, last count was 250, across the United States (US). Threat Insights informed about the same over its Twitter handle saying that, “Proofpoint Threat Research has observed intermittent injections on a media company that serves many major news outlets. This media company serves content via #Javascript to its partners. By modifying the codebase of this otherwise benign JS, it is now used to deploy #SocGholish.”

The threat actor behind this supply-chain attack has been identified as TA569, according to Proofpoint’s Threat Insight team. “We track this actor as #TA569. TA569 historically removed and reinstated these malicious JS injects on a rotating basis. Therefore the presence of the payload and malicious content can vary from hour to hour and shouldn’t be considered a false positive,” it tweeted.

Proofpoint further observed that TA569 has inserted malware in the assets of the media company, which is used by multiple news organizations. More than 250 regional/national newspaper sites have been infected by the code. The actual number of impacted hosts is known only by the impacted media company.

It can be known that the impacted media organizations serve: Boston, New York, Chicago, Miami, Washington DC, Cincinnati, Palm Beach, and other national news outlets. Also, according to a report by BleepingComputer, Sherrod DeGrippo, VP of threat research and detection at Proofpoint has informed, “The media company in question is a firm that provides both video content and advertising to major news outlets. [It] serves many different companies in different markets across the United States.”

It can be known that Proofpoint has earlier observed that the SocGholish campaigns use fake updates and website redirects to infect users, including, in some cases, ransomware payloads.