Skip to Content

Crime group hijacks hundreds of U.S. news websites to push malware

Updated on 2022-11-06: Crime group hijacks hundreds of U.S. news websites to push malware

Proofpoint dropped some light details of a mass media compromise in a tweet thread on Wednesday. With more details, @carlypage_ spoke with Proofpoint to learn more. An initial access broker, aka TA569, hacked an unnamed media content provider to deploy malware on hundreds of U.S. news outlet websites; the idea is to trick visitors into installing a fake browser update that eventually delivers malware, usually ransomware (given the links to WastedLocker). It’s a spray-and-pay tactic using the media supply chain to target individuals, rather than the highly targeted efforts by some ransomware gangs by using zero-days and other vulnerabilities to break in. But clearly, it’s having some effect. Read more:

Updated on 2022-11-04: Scores of US News Sites are Delivering Malware

Numerous news sites across the US are serving up malware, according to Proofpoint Threat Research. The issue appears to be a supply chain attack: the attackers targeted a content and advertising engine that serves videos and advertising via JavaScript to the more than 250 affected news sites.


  • This is very similar to an incident in January, that affected realtor websites. A video delivery platform was compromised that affected multiple sites using the service. If applicable, the simplest solution is SRI (Subresource Integrity), which adds hashes to script tags retrieving remote content. But often the “business need” to track users interferes as it requires the JavaScript to change for each user, reducing the applicability of SRI hashes.
  • Those ads are obviously a source of revenue for the company sites showing them, so the cost of making sure that are safe and secure should be built into the business decisions to go after advertising revenue – but obviously that is too often not the case. If your company is hosting ads from third party services, this is a good one to use as part of briefing the management and the board.
  • So what do you do if your trusted site for media and content is itself compromised? Scanning _YOUR_ content won’t reveal that: you have to look at things from an end-user POV and be prepared to disconnect the inappropriate feed as well as aggressively scan for discovered IOCs. Proofpoint is tracking this attack to an APT they call TA569, which is distributing the SocGholish (aka FakeUpdates) malware, which can lead to follow-up issues, including ransomware. TA569 is also adept at re-infecting remediated services, which means you need to be on your toes if you discover SocGholish.
  • Unfortunately most news outlets are 100% dependent upon ad revenue. Some of their “advertisers” are bound to be malicious, and that’s just the water these agencies have to fish in.



The TA569 threat actor infected 250 regional and national news sites in the U.S. with the SocGholish (FakeUpdates) malware, in a supply chain attack. Read more: Over 250 US News Websites Deliver Malware via Supply Chain Attack

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.