Extendoffice.com has fixed a security hole in its site that was redirecting thousands of users to the Angler exploit kit which was dropping TeslaCrypt ransomware.
The site, which sells add-on software for Microsoft Office, is ranked in Alexa's top 10,000 globally and sits at around 5,500 in the US, meaning it has millions of visitors.
According to the Trustwave SpiderLabs team blog, the site was built on Joomla 3.4.3 which is vulnerable to CVE-2015-8562 "Object Injection Remote Command Execution" – a vulnerability that was exploited in the wild as a zero-day before it was patched in December 2015 with the release of version 3.4.6 of Joomla.
Rami Kogan, author of the blog, said it appears that criminals used the vulnerability to upload a malicious script to Extendoffice's web server which injected obfuscated JavaScript into every web page served.
The writers of the code used some clever tricks to make the code run in Internet Explorer, the primary target of Angler, but not FireFox.
They also used a method for executing obfuscated JavaScript without using the eval method – eval often raises red flags in security scanners, Kogan writes.
Kogan said that a quick reference to VirusTotal found that apart from Trustwave, the vulnerability had not been identified by any of the other 66 companies listed.
Trustwave said it notified Extendoffice and its hosting company of the problem but heard nothing back. However, yesterday, the malware had been cleaned from the site.