Cyber Incident Victim: Metro
Date:
Jul 2014
Location:
United States of America
Summary
The United States website of the Metro newspaper was compromised to distribute malware via malicious iFrames injected into its pages, redirecting visitors through a traffic distribution system to the RIG exploit kit. The exploit kit targeted software vulnerabilities to deploy a Win32/Simda variant designed to steal browser data, employing evasion techniques such as debugger checks. Most affected users were located in the U.S. and Canada, consistent with the exploit kit’s operational patterns, while antivirus detection rates for the malware remained low at the time of analysis. This incident mirrored similar recent compromises involving other exploit kits targeting high-traffic platforms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 23, 2014, security researchers at Websense reported that the U.S. website of the Metro newspaper (metro.us) had been compromised to distribute malware. Attackers injected a malicious iFrame into multiple pages of the website, which served approximately 1 million monthly visitors. When users accessed these pages, the iFrame silently redirected them through a traffic distribution system (TDS) to websites hosting the RIG exploit kit. This kit scanned victims' computers for vulnerabilities in installed software to deliver malware payloads. The primary targets were users in the United States and Canada, consistent with regions previously impacted by RIG operations. The malware distributed was identified as a variant of Win32/Simda, designed to steal browser data such as saved credentials and browsing history. At the time of discovery, only 23 out of 53 antivirus engines on VirusTotal detected the malicious file. The malware incorporated anti-analysis techniques, including checks for debuggers, to evade detection. Websense analyst Ran Mosessco noted that attackers frequently used TDS infrastructure to rotate between exploit kits like Angler and Goon/Infinity, though RIG was confirmed in this incident.
The compromise exposed Metro's visitors to drive-by download attacks requiring no user interaction beyond visiting the infected pages. The Win32/Simda malware posed a direct threat to data confidentiality by exfiltrating sensitive browser information. No details were provided regarding Metro's internal detection mechanisms, containment actions, or remediation timeline. Websense publicly disclosed the compromise on July 23, but the article did not specify whether Metro had acknowledged the incident or restored normal operations by that date. The attack mirrored a June 2014 compromise of the AskMen website, which similarly leveraged exploit kit infrastructure (Nuclear Pack) to deliver malware. SecurityWeek's Eduard Kovacs contextualized the Metro incident within broader exploit kit trends but did not report definitive attribution or motives. The low detection rate for Win32/Simda highlighted ongoing challenges in signature-based antivirus defenses against polymorphic malware.