The news websites, WTOP.com and FederalNewsRadio.com, are accessible
to all Internet users following resolution of a cyber attack against the
websites. Users accessing the websites from all web browsers, including
Internet Explorer, have full access to both websites.
"Getting the websites back up and running safely for all users has
been our top priority," said Joel Oxley, Senior Vice President and
General Manager of WTOP and Federal News Radio. "We take our users'
privacy very seriously, and we have taken steps to prevent similar
occurrences. We apologize to our user community for any inconvenience
that this incident has caused."
WTOP.com and FederalNewsRadio.com were victims of cyber attacks last
week. When the attacks were discovered, an investigation was launched
immediately, the malicious code was removed, additional security
measures were installed, and federal law enforcement officials were
notified of the incident.
Access to the websites from Internet Explorer web browsers was
blocked to allow for a careful examination of how site security was
compromised and after the initial review, which suggested the hackers
may have targeted Internet Explorer users.
Full access to the websites was restored on Saturday evening, May 11,
2013, after a review of site security and implementation of
recommendations to fix the vulnerabilities the attacker exploited to
gain access to the websites. The review was conducted and
recommendations were made by Mandiant, an internationally recognized
cybersecurity consulting firm.
"We have found and eliminated the vulnerabilities that were
exploited," said John Spaulding, the Washington, D.C. Director of
Information Systems for Hubbard Radio, the parent company of WTOP and
Federal News Radio.
Computers infected with the malware may display a pop-up message
indicating that the computer is infected with a virus. This pop-up
message may be fake if it prompts the user to click on a link, which
takes them to a website that is not recognized by the user. This fake
website offers security software for sale and prompts users to provide
personal information, including credit card numbers. Users should not
provide information, if prompted to do so.
Computers with up-to-date anti-virus programs and security software
should identify the malware and provide instructions on how to delete or
quarantine it.
Out of an abundance of caution, WTOP.com and Federal News Radio users
who accessed the websites from any web browser during the cyber attack,
which occurred approximately from May 5 to May 7, are encouraged to
update and run their security software and perform a malware scan on
their computer. (See below for more information on how to run a malware
scan.)
In addition, the passwords for all registered users and users who
receive breaking news, daily headline or other emails from both websites
have been reset. These users have been contacted directly, informed of
the need to reset their passwords the next time they visit the websites,
and encouraged to change their passwords on other websites where they
use the same password.
"During the cyber attack, it is possible the database of WTOP.com and
FederalNewsRadio.com email users may have been compromised. However, we
have no evidence that any log-in information was actually acquired by
the hackers," said Spaulding.
Neither WTOP.com nor FederalNewsRadio.com collect or store social security numbers or credit card information.
WTOP.com and FederalNewsRadio.com are reaching out to all users, via
email messages and through social media, to make them aware of the
situation. More information on how to detect malware on a computer can
be found below.
How do I know if my computer was infected?
The malware attack targeted the Internet Explorer browser. If you
accessed WTOP.com or FederalNewsRadio.com from Internet Explorer
recently, you may have been infected. While other browsers may not have
been directly infected, the malware still may have installed a cookie on
your browser. We urge everyone to clear their cookies and browser cache
no matter what browser they have been using to access WTOP.com or
FederalNewsRadio.com, and to do a full virus scan on their machine (see
instructions below).
An infected machine may exhibit some or all of the following behavior:
Active programs will be shut down.
Fake virus scanner, often labeled "Internet Security," will automatically open and run.
Inability to open or access any programs or applications. Attempting to do so may result in a fake virus warning.
Periodic pop-ups displaying a fake warning and/or prompting the user to purchase the full product.
The malware (often called amsecure.exe) resides in memory and adds itself to the list of startup programs.
An infected machine will likely open numerous windows with an error message such as:
"Amsecure.exe warning! Application cannot be executed. The file cmd.exe is infected. Please activate your antivirus software."
"Warning! Running Trial version!! The security of your computer has
been compromised! Now running trial version of the software! Click here
to purchase the full version of the software and get full protection for
your PC!"
"Attention. Suspicious software activity is detected by Amsecure.exe on
your computer. Please start system files scanning for details."
"Amsecure.exe detects application that seems to be a key-logger. System
information security is at risk. It is recommended to enable the
security mode and run total System scanning."
"Warning! Name: taskmgr.exe. Name: C:WINDOWStaskmgr.exe"
You may also see error messages when trying to access the Internet, such as the ones below:
Iexplore caused an Invalid Page Fault in module3 (the number at the end can vary)
The web page you requested is not available offline
Explorer caused an exception C06D007EH in module Sens.dll
What do I do if I was infected with malware?
If you don't already have an anti-virus program on your machine,
download one. Some free possibilities are AVG or Avast. A removal tool,
which may help, can be found here. The best practice for removing
malware is to download the anti-virus program to a trusted, non-
infected computer instead of the computer which you believe has the
virus.
If you have access to a trusted, non-infected computer:
Download the anti-virus program and save it to a CD or flash drive.
Reboot the infected computer.
As soon as you see the screen come on, begin tapping the F8 key.
You should soon see a menu of options. Use the arrow keys to move up
and down the options list (your mouse won't work) until the "Safe Mode"
option is highlighted.
Press "Enter" to choose "Safe Mode".
After the computer is done booting into safe mode, insert the CD or
flash drive that contains the anti-virus program you downloaded earlier.
Navigate to the drive that contains the program. Run the anti-virus
program by double clicking on it.
Run a full scan on the computer and have it remove any infected files.
Restart the computer into its regular state.
If you do not have access to a trusted, non-infected computer:
Reboot the infected computer.
As soon as you see the screen come on, begin tapping the F8 key.
You should soon see a menu of options. Use the arrow keys to move up
and down the options list (your mouse won't work) until the "Safe Mode
with Networking" option is highlighted.
Press "Enter" to choose "Safe Mode with Networking".
After the computer is done booting into safe mode, open a browser and download the removal tool from:
http://www.sophos.com/en-us/threat- center/threat-analyses/viruses-and-spyware/Troj~FakeAV-GOJ.aspx
Run a full scan on the computer and have it remove any infected files.
Restart the computer into its regular state.
