NHS Website Hosting Malware

This morning I was made aware that certain pages of the NHS website - the UK’s National Health Service - were hosting malware that was automatically redirecting users to malicious pages. The story broke on the popular news site Reddit, you can see the actual reddit thread here.

The first and most important point is that if you ever find yourself unexpectedly redirected from a page to another page then you should definitely not agree to install any software suggsted by the redirected site. Your safest course of action is likely to close the tab or even your browser as soon as possible and then run a full virus scan after updating your virus software.

Here is some information on this particular attack

The list of URLs originally shown to be hosting this malware can be found here.

The attack vector seems to be in a (possibly accidental) mis spelling of the domain name that is hosting some Javascript related to Google Translate.

You can see a correct chunk of HTML here:

<script type="text/javascript" src="/includes/AC_RunActiveContent.js"></script>
<script type="text/javascript" src="//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit"></script><link type="text/css" rel="stylesheet" charset="UTF-8" href="https://translate.googleapis.com/translate_static/css/translateelement.css"><script type="text/javascript" charset="UTF-8" src="https://translate.googleapis.com/translate_static/js/element/main.js"></script>
<script type="text/javascript" src="/includes/translate.js"></script>

And here is the compromised HTML

<script type="text/javascript" src="//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit"></script>
<script type="text/javascript" src="//translate.googleaspis.com/translate_static/js/element/19/element_main.js"></script>
<script type="text/javascript" src="//translate.googleaspis.com/translate_static/js/element/element.js"></script>
<script type="text/javascript" src="/includes/translate.js"></script>

The domain name googleaspis.com is registered by regtons.com and though the Whois information has the actual domain ownership details obfuscated by a Czech company that protect the actual real ownership details, it does seem that the server and other internet services are all based in the Czech Republic.

Checking the Google Safe Browsing information, you can see that Google have found numerous issues on the NHS domains seemingly starting on the 31st of January this year.

It seems that the NHS have now confirmed that they are aware of this issue and are currently taking action to resolve the problem.

It is still not clear exactly how or why this issue cropped up in the first place. If it was an accident, how did it manage to get past what you would expect to be quite rigorous quality assurance processes? If this was a result of a malicious break in, how did they manage to compromise the website in this way and are there any further security issues that we should, as a nation, be worried about?

Tags: nhsmalwarejavascriptcompromisesecurity