What's interesting here is that the target isn't the computer, it's the home router. Needless to say, it's a Bad Day when someone owns your home router.At least five dating websites may be involved in an attack scenario that is spreading a worm to site visitors, infecting their home router and adding it to a botnet.The worm is a variant of TheMoon, which was first discovered in February 2014, and works by taking advantages of weaknesses in the HNAP (Home Network Administration Protocol) protocol.Attackers are using one-night stand dating sites to spread the worm. On each malicious website, the infection occurs via a two-step phase launched via a malicious iframe embedded on the page.The iframe works by making different URL calls to see if the router runs the HNAP protocol and if it uses the 192.168.0.1 and 192.168.1.1 for router management and as gateway IPs.It then calls home, informing its creators of its findings. Here is where the second attack stage happens, and where a second URL is loaded in the iframe, which delivers the actual worm, a Linux ELF binary.
It seems that the web sites were stood up using a stolen identity, so there are multiple layers of security fail involved. If Online Dating is your bag, Baby, it's probably best to stick to a name brand site. Err, not Ashley Madison, though.