Hackers hit 10,000 sites, launch 'phenomenal' attack
LATEST NEWS
- NZ game industry: Govt support for development increasing
- Telecom opens pre-orders for Samsung Galaxy S III || 4
- Video, connection costs major factors in broadband uptake: ComCom
- No more risk to privacy on Facebook, than web: MED
- Raspberry Pi arrives in New Zealand || 4
- InternetNZ invites ICT organisations to meet
SUBSCRIBE
Computerworld is New Zealand's only specialised information systems fortnightly. Subscribe now for $100 (23 issues) and save more than 37% off the cover price!
SIGN UP
Italian sites hit, but no sites in the world are safe, security experts say
By Gregg Keizer | Framingham | Tuesday, 19 June, 2007
Attackers armed with an exploit toolkit have launched massive attacks in Europe from a network of at least 10,000 hacked websites, with infections spreading worldwide.
As early as Friday, analysts reported the opening salvos of a large-scale attack based on the multi-exploit hacker kit dubbed "Mpack". The mechanics of the attacks are involved, but essentially attackers taint each compromised site with code that then redirects visitors to a server hosting the Mpack kit — a professional, Russian-made collection of exploits that comes complete with a management console to detail which exploits are working, and against what countries' domains.
Infected computers are fed a diet of malicious code, largely keyloggers that spy out usernames and passwords for valuable accounts, such as online banking sites.
"The gang behind the attack has successfully compromised the homepages of hundreds of legitimate Italian websites," said Symantec researcher Elia Florio in a posting to the vendor's security response blog on Friday. "The list of compromised sites is huge and from Mpack statistics this attack is working efficiently."
Florio says Symantec is uncertain how the sites were originally hacked, but suspected a common vulnerability or configuration problem at the hosting level. Paul Ferguson, a network architect with Trend Micro, would only guess at how sites were hijacked, but said that the 'how' is mostly moot. What's important: "The hackers seem to be able to find a lot of sites to compromise no matter where they look."
By Friday night, Symantec had pegged the number of compromised sites feeding Mpack exploits at 6,000; by yesterday, security vendor Websense said it had tracked more than 10,000. "That's a phenomenal number," argued Ferguson, who said that previous compromised-site attacks using hacker kits could be counted as "several hundred here, a couple hundred there".
Screenshots of the Mpack management console posted by Websense on Monday and Symantec on Friday illustrate the large numbers of computers that have surfed to the compromised sites, and the high success rate of the Mpack-delivered exploits.
"The lion's share of the sites we're seeing are in Italy still," said Ferguson, "but we're seeing sites all over the world as well." For instance, Trend Micro has identified hacker-controlled sites hosted in California and Illinois. The California site is hosted by a company Ferguson called "notorious", but he wouldn't divulge the hosting vendor's name.
"The usual advice we give, 'avoid the bad neighbourhoods of the web', just doesn't hold water anymore" when legitimate sites have been hacked and are serving up exploits left and right, Ferguson said. "Everywhere could be a bad neighbourhood now."
MOST POPULAR
- Google search will incorporate 'knowledge graph'
- Chorus extends introductory fibre trial for RSPs until December
- IBM boosts returns to parent company, paying $20m to US
- Raspberry Pi arrives in New Zealand
- Wellington gears up for Digital Earth summit
- J*******k: Dirty word disappears from Apple iTunes store
Social Media @Computerworld NZ
Computerworld NZ has now reached LinkedIn! Join to expand your networks and meet others interested in information systems.
