Mass injection attack compromised 20,000+ domains, delivers fake AV
Posted on 18 August 2011.
A simple mistake on the part of cyber attackers has revealed another mass malicious iFrames injection attack that is currently under way, say Armorize's researchers.

Initially, they forgot to include a tag before the actual malicious code, so it was indexed by Google and, therefore, searchable. The initial number of compromised domains was around 22,400, with a total of 536,000+ infected pages.

Unfortunately, the attackers remedied their mistake and the injected script is not visible to Google anymore, so the current number of affected pages is unknown.

What is known is that the script takes the victims through a number of redirection sites and lands them on a page where a drive-by download script is served by a modified version of the BlackHole exploit pack.

The exploit pack takes advantage of vulnerabilities in the Windows OS, Java, Adobe Reader and Flash Player to install a fake AV solution on the victims' computer. The malware is immediately executed and begins scaring the users:


The fake solution changes its name depending on the OS it encounters on the targeted computer. It is "XP Security 2012" under Windows XP, "Vista Antivirus 2012" under Windows Vista, and "Win 7 Antivirus 2012" under Windows 7.

According to the researchers, the redirecting domains are hosted in Moldova, and the exploit servers in the US. As to how legitimate sites get injected with the malicious iFrame, they say it's mostly by using stolen FTP credentials.

Unfortunately, the malware served has a very low detection rate - 11.6 percent on Virus Total - so the best thing to do to defend oneself from this type of threat is to keep all your software up-to-date in order to thwart the exploit kit.






Spotlight

Targeted attack protection via network topology alteration

Posted on 17 October 2014.  |  This article from Trend Micro tackles how network topology can aid in defending the enterprise network from risks posed by targeted attacks.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Oct 20th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //