BBC music websites hacked

Music-streaming websites operated by the BBC have been hacked with 'malicious' frames which deliver malware using drive-by downloads.

According to WebSense, hackers had set up the drive-by malware on the broadcaster's 6 Music and BBC 1Xtra radio web sites.

"The BBC - 6 Music Web site has been injected with a malicious iFrame, as have areas of the BBC 1Xtra radio station Web site," a Websense researcher wrote.

"The injected iFrame occurs at the foot of the BBC 6 Music Web page, and loads code from a Web site in the .co.cc TLD. The iFrame injected into the Radio 1Xtra Web page leads to the same malicious site.

"Ifan unprotected user browsed to the site they would be faced with drive-by downloads, meaning that simply browsing to the page is enough to get infected with a malicious executable."

The.co.cc TLD is located in the Cocos Islands an Australian territory located in the Indian Ocean.

The BBC is yet to comment on the matter.

The payload is delivered to the end user only once, with the initial visit being logged by the malware authors.

Websense claims the injected iFrame is at the bottom of the BBC 6 Music webpage and has been set up to automatically download some dodgy code from a .cc website. Apparently the hack is exactly the same on the BBC's 1Xtra website.

"If an unprotected user browsed to the site they would be faced with drive-by downloads, meaning that simply browsing to the page is enough to get infected with a malicious executable," Websense continued.

The malware was designed using a Pheonix Exploit kit and only 12 out of 43 of the top anti-virus packages found the exploit. Using Virus Total scan to see which products picked up the injected iFrame, Websense showed that anti-virus scans from some outfits like Kaspersky, Symantec, PC Tools and Trend Micro picked up the hack.

However, other top name insecurity vendors like Sophos, McAfee and even Microsoft's anti-virus tools didn't register the hack at all.

That is an appalling detection rate from both free and paid-for anti-virus kits and, as of yesterday, Websense reckoned the anti-virus toolkits were still vulnerable.