Hundreds of US news sites hacked to send out malware

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

Hundreds of news websites across the US have been compromised to deliver malware to their readers, researchers are saying. 

Experts from Proofpoint discovered a malware distribution campaign that targeted an unnamed media company in the US which owns hundreds of websites belonging to various newspapers. 

Allegedly, some of the sites are national, others are from New York, Boston, Chicago, Miami, Washington, D.C., and others. 

Fake browser updates

Overall, more than 250 websites owned by the company were hijacked to deliver the SocGholish JavaScript malware framework. These sites deliver their content to the readers via a benign JavaScript code. That code was hijacked to deliver what’s known as “initial access threat”, which pushes drive-by-downloads pretending to be software updates.

In other words, website visitors would be prompted to download fake browser updates delivered as ZIP archives.

"The media company in question is a firm that provides both video content and advertising to major news outlets. [It] serves many different companies in different markets across the United States," Sherrod DeGrippo, VP of threat research and detection at Proofpoint, told BleepingComputer.

"Proofpoint Threat Research has observed intermittent injections on a media company that serves many major news outlets. This media company serves content via Javascript to its partners," Proofpoint said in a Twitter post. 

"By modifying the codebase of this otherwise benign JS, it is now used to deploy SocGholish."

Proofpoint also said that SocGholish can be used to launch stage-two attacks, which could include ransomware infections, as well. It seems to be speaking from experience here, as Evil Corp, an infamous Russia-based threat actor, is known for using SocGholish in similar campaigns. It once even tried to deploy its WastedLocker ransomware, but was thwarted by Symantec. 

In this particular situation, it seems that the attack is the work of a group tracked as TA569.

"The situation needs to be closely monitored, as Proofpoint has observed TA569 reinfect the same assets just days after remediation," the researchers warned. 

Via: BleepingComputer

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over 10,000 WordPress sites found showing fake Google browser update pages to spread malware
A close-up of an interent search bar with 'http://ww' visible
Major website hijacking scam sees over 35,000 sites attacked, redirected to gambling sites, so be on your guard
Red padlock open on electric circuits network dark red background
Newspaper printing across US hit after Lee Enterprises says “cybersecurity event” disrupted operations
NordVPN
US hit with over 1.9 billion malware threats last year - here's how to stay safe
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Microsoft reveals over a million PCs hit by malvertising campaign
Latest in Security
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Latest in News
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC
Oura Ring 4
Activity tracking on Oura Ring is about to get a whole lot better, but I've got bad news about your step count
Google Pixel Buds Pro 2
Cleaned your Pixel Buds Pro 2 recently? If not, you might be getting worse sound
Google Maps on a phone being held in someone's hand
Google Maps is getting two key upgrades, for easier route planning and quicker access to Gemini AI
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list