Using our site-scanning technology, we were able to detect a change within jQuery.com. Approximately 10-15 minutes after our system detected it, we analyzed the site and detected that a malicious script tag was added. This malicious script then added an invisible iframe that redirected users to RIG exploit kit, which is typically used to drop banking trojans as well as other information stealers.
One of the reasons for its popularity is that, jQuery is free, open source software, licensed under the MIT License. And the same popularity also makes compromised JQuery.com website, much more dangerous as per RisqIQ blog. James Pleger of RisqIQ says that due to the vast popularity and wider usage of the library across the globe, this breach is more harmful then normal breaches.
“The jQuery library is a very popular toolkit for developing websites with dynamic content and is widely used by developers within enterprises. jQuery users are generally IT Systems Administrators and Web Developers, including a large contingent who work within enterprises.”
RisqIQ detected the attack on 18th September 2014 and given that the malicious redirector was hosted on a domain that was registered on the same day, it’s more than likely that that was the day when the attack actually started.
“Typically, these individuals have privileged access to web properties, backend systems and other critical infrastructure. Planting malware capable of stealing credentials on devices owned by privilege accounts holders inside companies could allow attackers to silently compromise enterprise systems, similar to what happened in the infamous Target breach.”
RiskIQ says that it notified the jQuery Foundation immediately after it noticed the compromise along with the malicious redirect configuration. JQuery.com administrators immediately responded to the message and removed the malicious script. However it is not known how many users were infected by the redirected malware before JQuery removed it.
Flaw in the website not known!
Worst news is that neither RisqIQ nor JQuery administration know about how hackers managed to breach the website and till the time the flaw / vulnerability exists on the website, it may allow the hackers to return again anytime.
JQuery has requested all the users who may have visited the site on or around September 18 to check whether they have been compromised by the malware. RisqIQ has recommended those users who may have been infected, to immediately re-imaging of the system, resetting passwords for user accounts that have been used on it, and checking whether suspicious activity has originated from it (data exfiltration, etc.).