July 13, 2017
The start date the website was compromised and past activity in this attack vector are currently impossible to determine. There are at least 15 domain addresses registered by an unknown individual. The malicious code forces the browser of any visitor to the website to covertly connect to one of them. These domains can reply with any independent document, from a fraudulent input form for entering bank card details to a brute-force attack of vulnerabilities, aimed at obtaining access to a visitor’s computer.
While a website page requested by a user is being generated dynamically, the container <iframe> is added to the website code. It allows any external data to be downloaded or requested from the user’s browser. Currently, the security researchers have detected at least 15 domains. Among them are m3oxem1nip48.ru, m81jmqmn.ru and other addresses of intentionally inconclusive names. At least five of them belong to a range of addresses of companies registered in the Netherlands. Over the past day, requests to these domains are either unsuccessful, because the security certificate of most of these websites is expired, or don’t contain any malicious code. However, there’s nothing to prevent the domain owners from updating the certificates at any moment and publishing malicious code on these domains.
Currently, the website gosuslugi.ru is still compromised. Information has been sent to the website’s technical support service, but it has yet to confirm that it has launched an investigation and initiated measures to prevent such incidents in the future. Doctor Web recommends that users be careful when using the Government Services Portal of the Russian Federation until the situation is resolved. Doctor Web, Ltd., recommends that the administration of the website gosuslugi.ru and the relevant authorities perform a security check on the website.
Any user can check for the code’s presence themselves by using a search tool and making the following request:
UPDATE: The potentially malicious code was removed from gosuslugi.ru after approximately 3 hours from the publication.
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.