Hackers compromise 10k sites, launch 'phenomenal' attack
The large-scale attack is based on the multiexploit hacker kit dubbed 'Mpack'
Computerworld - Attackers armed with an exploit tool kit have launched massive attacks in Europe from a network of at least 10,000 hacked Web sites, with infections spreading worldwide, several security companies warned today.
As early as last Friday, analysts reported the opening salvos of a large-scale attack based on the multiexploit hacker kit dubbed "Mpack." The mechanics of the attacks are complex, but essentially attackers taint each compromised site with code that then redirects visitors to a server hosting the Mpack kit -- a professional, Russian-made collection of exploits that comes complete with a management console to detail which exploits are working and against what countries' domains.
Infected computers are fed a diet of malicious code, largely keyloggers that spy out usernames and passwords for valuable accounts such as online banking sites.
"The gang behind the attack has successfully compromised the home pages of hundreds of legitimate Italian Web sites," said Symantec Corp. researcher Elia Florio in a posting to the vendor's security response blog on Friday. "The list of compromised sites is huge and from Mpack statistics this attack is working efficiently."
Florio said that Symantec is uncertain how the sites were originally hacked but that she suspects a common vulnerability or configuration problem at the hosting level.
Paul Ferguson, a network architect at Trend Micro Inc., would only guess at how sites were hijacked but said that "how" is mostly a moot question. What's important, he said, is that "the hackers seem to be able to find a lot of sites to compromise no matter where they look."
By Friday night, Symantec had pegged the number of compromised sites feeding Mpack exploits at 6,000; by today, Websense Inc., a San Diego-based Web security company, said it had tracked more than 10,000. "That's a phenomenal number," added Ferguson, who said that previous compromised-site attacks using hacker kits could be counted as "several hundred here, a couple hundred there."
Screenshots of the Mpack management console posted by Websense on Monday and Symantec on Friday illustrate the large numbers of computers that have surfed to the compromised sites and the high success rate of the Mpack-delivered exploits. Although the bulk of the victim PCs use Italian IP addresses, U.S.-based machines are not immune.
"The lion's share of the sites we're seeing are in Italy still," said Ferguson, "but we're seeing sites all over the world as well." For instance, Trend Micro has identified hacker-controlled sites hosted in California and Illinois. The California site is hosted by a company Ferguson called "notorious," but he wouldn't divulge the hosting vendor's name.
"The usual advice we give, 'Avoid the bad neighborhoods of the Web,' just doesn't hold water anymore," when legitimate sites have been hacked and are serving up exploits left and right, Ferguson said. "Everywhere could be a bad neighborhood now."
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Logicalis eBook: SAP HANA: The Need for Speed Without timely business insights, organizations today can suffer logistical, manufacturing, and even financial disaster in a matter of minutes
- Neustar 2014 DDoS Attacks and Impact Report For the third consecutive year, Neustar surveyed hundreds of companies on distributed denial of service (DDoS) attacks. The survey reveals evidence that the...
- Acxiom Case Study This case study, which focuses on Acxiom, explores how the company was able to secure employee data, reduce migration costs and boost productivity...
- Windows® XP Migration: Protect and Secure Critical Data With the end of the Microsoft Windows XP operating system's lifecycle on April 8, 2014, businesses are faced with the decision to migrate...
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Building Tomorrow's Infrastructure Listen to this podcast to discover how Crider Foods worked with PC Connection to update their IT infrastructure, while maintaining compliance and control. All Cybercrime and Hacking White Papers | Webcasts