Hundreds of US news sites deliver malware

Over 250 regional and national US newspaper sites are spreading malware after falling victim to a supply chain attack.

Cybersecurity company Proofpoint observed intermittent injections in a media company serving many major news outlets.

News outlets in Boston, New York, Chicago, Miami, Washington, Cincinnati, and Palm Beach, among others, have been impacted.

The media company in question, not named in the brief research summary by Proofpoint, serves content via Javascript to its partners.

“By modifying the codebase of this otherwise benign JS, it is now used to deploy SocGholish,” Proofpoint said.

SocGholish is also known as FakeUpdates – malware that masquerades as legitimate software updates. It has been linked to the suspected Russian cybercrime group Evil Corp. Proofpoint, however, tracks the threat actor as TA569 and does not assess TA569 as Evil Corp.

“TA569 is a traffic and load seller known for compromising content management servers and injecting and redirecting web traffic to a social engineering kit. The threat actor leverages fake updates to prompt users to update their browser and download a malicious script,” Proofpoint said.

According to the company’s researchers, at least 250 news sites have accessed the malicious Javascript.