Bank of India site hacked, serves up 22 exploits
Reminiscent of Super Bowl site hack in January; notorious Russian gang suspected
Computerworld - The Bank of India Web site was hacked sometime Wednesday night (U.S. time) and seeded with a wide, wild array of malware that infected any users running unpatched browsers, security researchers said today.
Although the bank's site had been scoured of all malware by Friday morning, it's currently offline. "This site is under temporary maintenance and will be available after 09:00 IST on 1.09.07," a prominent message currently reads.
Researchers at Sunbelt Software Inc. first posted details of the hack yesterday afternoon after finding rogue code embedded in the site's HTML. That code, actually an IFRAME exploit, silently redirected users to a hacker server, which pushed 22 different pieces of malware onto vulnerable PCs. By Sunbelt's tally, the malware included one worm, three rootkits, five Trojan downloaders, and several password stealers. "The biggest issue is the sheer volume of malware we've had to analyze," said Alex Eckelberry, Sunbelt's CEO, in a blog posting yesterday.
Other researchers dug up more information. According to Roger Thompson, the chief technology officer of Exploit Prevention Labs Inc., the bank's site was compromised sometime between late Wednesday and early Thursday (U.S. time). How it was hacked, however, is yet unknown, as is how many bank customers might have been infected by the attacks.
When contacted Friday, executives and IT administrators at U.S. offices of Bank of India were unaware of the hack. Later, after reaching his colleagues in India, a U.S.-based spokesman said only: "They are aware of the problem. Bank IT and security people are working on this now." He had no other information on the severity of the attack or its duration, however.
For his part, Thompson posted a video of the hack (.wmv file download) that showed the massive infections and resulting system changes in a debugger window. At one point, he pointed out a couple of pop-ups that appeared during the infection. "The pop-ups aren't the problem, the problem is that you're already hosed if you're not patched," he said. "You're comprehensively owned at this point."
By 10:30 a.m. Eastern, the site was clean, Eckelberry reported.
All clues point to the notorious Russian Business Network (RBN) gang, said Eckelberry. Based in St. Petersburg, RBN has been dubbed "the baddest of the bad" by VeriSign iDefense, and is reportedly involved in everything from spamming and phishing to denial-of-service attacks and selling child pornography over the Internet.
"There has been speculation as to whether the malware was installed through an exploit framework -- Webattacker, Mpack, Icepack -- as it was encrypted in the same way as Webattacker," said Eckelberry.
Thompson confirmed the breach. In a blog of his own, Thompson said it looked like the "standard Mpack/Icepack stuff" to him.
The Bank of India hack is only the latest example of a legitimate Web site behing compromised, and serving up malware to unwary visitors. In the U.S., the most serious incident was earlier this year, when the site belong to Dolphin Stadium, host to the National Football League's Super Bowl, was hacked just days before the big game.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts