Amnesty International UK Site Hacked, Serves Malware
The malware could enable attackers to access a victim's files, e-mails, passwords and other sensitive data, according to Websense researchers.
Websense researchers report that the Web site for Amnesty International UK was compromised from Tuesday to Wednesday of this week. "The website was apparently injected with malicious code for these 2 days," writes Websense's Gianluca Giuliani. "During that time, website users risked having sensitive data stolen and perhaps infecting other users in their network. However, the website owners rectified this issue after we advised them about the injection."
"Users who visited the site were infected with a malicious downloader that installed the popular commercial malware kit, Gh0st RAT," writes Threatpost's Christopher Brook. "The Gh0st RAT variant's executable was signed with a valid certificate from a Shenzhen, China-based technology company, fooling some users into thinking the download was legitimate. If a user installed the kit, an attacker could monitor the infected user’s files, e-mails and passwords, among other confidential information."
"Websense detected over 100 other websites infected with the same malicious code as Amnesty International's U.K. website during the same time period, Carl Leonard, senior manager of Websense Security Labs, said," writes Computerworld's Lucian Constantin.
"This is not the first time an Amnesty International website has been hit," notes TechWeekEurope's Tom Brewster. "Websense found the same site had been compromised in 2009, whilst the Hong Kong arm of the charity was injected with dirty code in 2010."
"In a statement to IT Pro, Amnesty International played down the incident, stressing that no user details would have been compromised," writes IT Pro's Caroline Donnelly. "'As soon as we became aware of the infection we worked with our hosting company, Claranet, to isolate it and remove it as a matter of urgency,' it stated. 'All our users profiles are held on a completely separate website and server and were in no way compromised by this incident.'"