EC-Council you never fail to disappoint... website infected with Angler exploit kit

iBrokeIT

Their website was discovered to be infected with the Angler exploit kit.

https://twitter.com/ydklijnsma/status/712623731319943168

You would think they could put some of those yearly fees into keeping their website secure

danny069

Hmm...seems like they need a CEH

cyberguypr

Paging Colemic...

TechGuru80

v8 or v9?

renacido

I'm sure they outsource hosting of their public website. But this is no excuse.

A lot of companies don't hold service providers accountable - require SOC-2 reports, audits, etc. EC-Council should know better. Could be the hosting provider aren't on top of their game.

One of the downsides of outsourcing - the provider never cares as much about your stuff as you do (or should).

iBrokeIT

This isn't the first time they've been pwned, or second time....

OctalDump

I imagine they would be a popular target. I guess I'll wait for a notification that my PII has been compromised.

gespenstern

Well, it's not that bad, considering that Angler EK delivered TeslaCrypt as of recently through advertisement on major websites including forbes.com and the likes.

JockVSJock

renacido wrote: »

I'm sure they outsource hosting of their public website. But this is no excuse.

The SLA should state that all employees must have C|EH...oh wait, that would probably increase EC-Council's cost.

renacido wrote: »

EC-Council should know better.

From what others have said on this site and my interactions with them, EC-Council and professionalism doesn't go hand-in-hand.

YFZblu

gespenstern wrote: »

Well, it's not that bad, considering that Angler EK delivered TeslaCrypt as of recently through advertisement on major websites including forbes.com and the likes.

Did you actually look at the tweet the OP linked to? This wasn't some ad-rotator - the Wordpress instance eccouncil hosts their web content on was compromised.

Mike7

Yup. WordPress 4.2.2 on Windows Server 2012 R2 (IIS 8.5) and PHP 7.0.
Info can be seen from any browser built-in developer tool or via https://sitecheck.sucuri.net/results/iclass.eccouncil.org

Probably infected via either WordPress or plugin vulnerability.
EC Council should update their WordPress and related plugins. Version 4.2.2 was released May last year, the latest version is 4.4.2 (with 4.5 coming soon), and there were a couple of critical security patches since 4.2.2.

FWIW, WordPress versions since 3.7 will automatically update to newer versions. Guess the web design company or whoever maintain the site disabled the auto update feature.

Iristheangel

Ouch.

I definitely don't regret letting those EC-Council certs expire in February. I would have never gotten them in the first place if it wasn't part of my degree at WGU. What a trainwreck...

636-555-3226

Wordpress compromised... Who would of thought.....

JockVSJock

Iristheangel wrote: »

I definitely don't regret letting those EC-Council certs expire in February. I would have never gotten them in the first place if it wasn't part of my degree at WGU. What a trainwreck...

Wow...With this much brouhaha surrounding C|EH and EC-Council and their professionalism, I'm beginning to doubt my endeavor and allocation of time and energy towards this cert.

Danielm7

Ugh, wordpress, come on! And they wonder why they get such a bad rap.

LinuxRacr

And I actually have been considering getting the C|EH en route to getting the OSPC and the CISSP.....

EngRob

636-555-3226 wrote: »

Wordpress compromised... Who would of thought.....

That's never happened before....

cyberguypr

The way I see the problem is not the mere fact that they have been compromised. To me the issue is the sum of all the little things here and there that have gone wrong with them: security, over-priced product, spelling, lousy support, pushing AMFs just because they can, etc.

Great to go past the HR goon in an organization that doesn't know better, but that's it.

dustervoice

I'm sure the hacker was just practicing for CEH with some old tools.

Mike7

Danielm7 wrote: »

Ugh, wordpress, come on! And they wonder why they get such a bad rap.

To be fair, quite a number of web sites are on WordPress and we do not read about their sites being compromised. Examples include Walt Disney, LinkedIn blog, Time.com. The key is to update regularly and use security measures such as WAF and NGFW.
Not dissimilar to how most of us on Windows apply patches regularly and have anti-virus software installed.

This is something else....

tpatt100

Stuff happens but the lack of response when an issue is reported is a big problem in my eyes.

chopsticks

Major security certification group ignored private warnings for more than 3 days

For the past four days, including during the hour that this post was being prepared on Thursday morning, a major security certification organization has been spreading TeslaCrypt malware—despite repeated warnings from outside researchers.


EC-Council, the Albuquerque, New Mexico-based professional organization that administers the Certified Ethical Hacker program, started spreading the scourge on Monday. Shortly afterward, researchers from security firm Fox IT notified EC-Council officials that one of their subdomains—which just happens to provide online training for computer security students—had come under the spell of Angler, a toolkit sold online that provides powerful Web drive-by exploits. On Thursday, after receiving no reply and still detecting that the site was infected, Fox IT published this blog post, apparently under the reasonable belief that when attempts to privately inform the company fail, it's reasonable to go public.


Like so many drive-by attack campaigns, the one hitting the EC-Council is designed to be vexingly hard for researchers to replicate. It targets only visitors using Internet Explorer and then only when they come to the site from Google, Bing, or another search engine. Even when these conditions are met, people from certain IP addresses—say those in certain geographic locales—are also spared. The EC-Council pages of those who aren't spared then receive embedded code that redirects the browser to a chain of malicious domains that host the Angler exploits.


More details and reading -->

Certified Ethical Hacker website caught spreading crypto ransomware | Ars Technica

Mike7

More details thanks to @chopsticks at http://www.techexams.net/forums/off-topic/118460-certified-ethical-hacker-website-caught-spreading-crypto-ransomware.html

thomas_

Kind of reminds me of the time when I was searching for Mike Meyers' website in google, to see that his website's meta tags had been maliciously changed. I sent them an email about it. Apparently their site had been hacked recently.

bigdogz

Thanks for not disappointing, EC Council. Just when we thought you might have your act together we are proven wrong again and again.

There should be a certification to find all of the exploits in their infrastructure. It might be a better certification path.

markulous

cyberguypr wrote: »

The way I see the problem is not the mere fact that they have been compromised. To me the issue is the sum of all the little things here and there that have gone wrong with them: security, over-priced product, spelling, lousy support, pushing AMFs just because they can, etc.

Great to go past the HR goon in an organization that doesn't know better, but that's it.

Agreed. If it weren't for the fact that I get away from Taskstream, I wouldn't be quite as thrilled about taking the CEH and CHFI. Even with all these issues, EC Council is still the lesser of those two evils IMO.

TechGromit

Mike7 wrote: »

To be fair, quite a number of web sites are on WordPress and we do not read about their sites being compromised.

Yes, but this is a cyber security related company, you would think they be on top of there game, everyone get compromised time to time, but usually it's caught within hours, and doesn't drag on for days. It's kinda like the fire department house buring to the ground or the police station getting robbed.

cyberguypr

Back to my point about the sum of all parts. This is not an isolated event.

Errata: Charlatan - EC-Council (ECC)

[Deleted User]

Remember though, nobody can detect 100% of anything. Even if you look at the vulnerability database https://nvd.nist.gov/ it would be impossible to stop it all as things are updated every minute with new vulnerabilities. Not all threats can be stopped. If there was a 100% security protection solution then there would be no need for security professionals and most of us here wouldn't have jobs. I'm even willing to bet that this site is vulnerable to some form of XSS or CSRF and this is a forum for IT pros and IT certifications. Even look at OSCP certification they even offer a bounty program for finding vulnerabilities on their site and they are top of the line for pen testing certs: https://www.offensive-security.com/bug-bounty-program/ That is my 2 cents on this at least.

tpatt100

I think how a company reacts to a security incident is the most important thing. My opinion of EC dropped a lot initially because a few years ago their website was full of broken links. If it wasn't for WGU I wouldn't of ever taken any of their tests because it's a bad sign when you are trying to sell me on taking a cert of yours and your links to more information are all broken.

wayne_wonder

You can bash them but they kee getting people to take their exams regardless and job postings around the world want Ceh or chfi so they can't be doing too bad.