Security researcher Dancho Danchev has raised the red flag in his blog about a new scam the bad guys are using to corrupt hundreds of thousands of Web sites with IFrame redirects. Visit one of these corrupt pages and you just might find yourself caught on another site rigged with malicious code. The infamous hacking group [...]
Security researcher Dancho Danchev has raised the red flag in his blog about a new scam the bad guys are using to corrupt hundreds of thousands of Web sites with IFrame redirects. Visit one of these corrupt pages and you just might find yourself caught on another site rigged with malicious code.
The infamous hacking group known as the Russian Business Network (RBN) appears to have a hand in this, he says.
“The ongoing monitoring of this campaign reveals that the group is continuing to expand the campaign, introducing over a hundred new bogus .info domains acting as traffic redirection points to the campaigns hardcoded within the secondary redirection point, in this case radt.info where a new malware variant of Zlob is attempting to install though an ActiveX object.”
Danchev says these are the high-profile sites targeted by the same group within the past 48 hours, with the number of locally cached and IFrame injected pages within their search engines :
NCSU Libraries - lib.ncsu.edu - 372,000 pages
FullDownloads.us - fulldownloads.us - 13,000 pages
Central Statistics Office Ireland - cso.ie - 10,300 pages
DBLife Frontpage - dblife.cs.wisc.edu - 1,130 pages
School of Mathematics and Statistics - www-history.mcs.st-andrews.ac.uk - 1040 pages
eHawaii Portal - ehawaii.gov - 992 pages
The World Clock - timeanddate.com - 944 pages
Boise State University - boisestate.edu - 471 pages
The U.S. Administration on Aging (AoA) - aoa.gov - 425 pages
Gustavus Adolphus College - gustavus.edu - 312 pages
Internet Archive - archive.org - 261 pages
Stanford Business School Alumni Association - gsbapps.stanford.edu - 157 pages
BushTorrent - bushtorrent.com - 147 pages
ChildCareExchange - ccie.com - 131 pages
The University of Vermont - uvm.edu - 120 pages
Hippodrome State Theatre - Gainesville, FL - thehipp.org - 112 pages
Minnesota State University Mankato - mnsu.edu - 94 pages
The California Majority Report - camajorityreport.com - 16 pages
Medicare.gov - medicare.gov - 12 pages
USAMRIID - usamriid.army.mil - 3 pages
More than 400,000 pages appear to have been compromised.
“To sum up — it’s a mess that I’ll continue trying to structure, and it’s a single group exploiting input validation capability within the sites’ search engines we’re talking about,” Danchev said. “With this segmented targeting of sites with high page ranks, and their persistence, is already positioning hundreds of thousands of keywords within the top search results, with the targeted sites are acting as the redirectors to the malware locations.”
Source: feeds.feedburner.com
Supermarket chain discloses breach
East Coast supermarket chain Hannaford Bros. Co. said Monday that its network was broken into and customer credit and debit card numbers were stolen. The Associated Press reported that company officials said the breach exposed 4.2 million credit and debit cards and led to 1,800 cases of fraud. In a statement on the company’s Web site, Hannaford [...]
East Coast supermarket chain Hannaford Bros. Co. said Monday that its network was broken into and customer credit and debit card numbers were stolen.
The Associated Press reported that company officials said the breach exposed 4.2 million credit and debit cards and led to 1,800 cases of fraud.
In a statement on the company’s Web site, Hannaford CEO Ron Hodge said the stolen data was limited to credit and debit card numbers and expiration dates; no personal data was accessed. The card numbers were stolen from Hannaford’s computer systems during transmission of card authorization.
The breach affected Hannaford stores in New England and New York, Sweetbay stores in Florida and some independently-owned retail locations in the Northeast that carry Hannaford products. Hannaford discovered the intrusion on Feb. 27 and alerted law enforcement officials.
The company advised customers that made purchases at its stores using credit and debit cards over the last three months, and who suspect their accounts may have been compromised, to immediately notify their card issuer or bank.
In his statement, Hodge said Hannaford “doesn’t collect, know or keep any personally identifiable customer information from transactions.” He added, “We sincerely regret this intrusion into our systems, which we believe, are among the strongest in the industry.”
Meanwhile, the Massachusetts Bankers Association said in a statement Monday that Visa and MasterCard have notified 60 to 70 banks in Massachusetts about a large data breach involving what the card companies would only describe as a major retailer.
The MBA estimates that “hundreds of thousands” of credit and debit cards owned by consumers in Massachusetts and northern New England states could be affected, and urged consumers to monitor their accounts. The association said it has been in discussions with the card companies and pursuing legislative alternatives that would require that the name of the retailer involved in a breach be released.
Source: feeds.feedburner.com
McAfee discovers 10,000 malware-laced sites
McAfee is ringing the alarm bell over its discovery Wednesday of some 10,000 Web pages attackers have rigged with PC-hijacking malware. The security vendor says it’s one of the largest attacks to date of this kind. Here’s what a company spokesman told me by email: “The Web pages have all been modified with code that silently redirects [...]
McAfee is ringing the alarm bell over its discovery Wednesday of some 10,000 Web pages attackers have rigged with PC-hijacking malware. The security vendor says it’s one of the largest attacks to date of this kind.
Here’s what a company spokesman told me by email:
“The Web pages have all been modified with code that silently redirects visitors to another Web site laden with a malware cocktail that attempts to break into the user’s PC. The redirect and the attempted break-ins all happen unbeknownst to the Web surfer.”
The spokesman said compromised Web pages include those found on travel sites, government sites and hobbyist sites. The attack serves as a reminder that even trusted Web sites could be malicious.
“Often you hear warnings about not going to untrusted sites,” Craig Schmugar, threat researcher at McAfee Avert Labs, said in a statement. “That is good advice, but it is not enough. Even sites you know can become compromised. You went to a place before that you trust, but that trust was violated through a vulnerability that was exploited.”
Miscreants likely rigged the Web pages in an automated attack that included scanning the Internet for unsecured servers and subsequently planting a piece of JavaScript code that redirects to a site in China to serve up the malware, he said. The malware cocktail attempts to exploit vulnerabilities in Windows, RealPlayer and other applications to break into the PC.
The malware that’s ultimately planted on the PC tries to steal passwords to online games. A back door also allows the subsequent installation of additional malicious programs. Cybercrooks have increasingly been targeting online gamers as items in virtual worlds and characters in games have now got real monetary value in the physical world.
McAfee first spotted this attack on Wednesday morning, March 12. Of the 10,000 pages that were compromised a number has already been cleaned up. A single entity is likely behind this attack, since the malicious code on all these pages was served up from the same server in China.
Be careful out there.
Source: feeds.feedburner.com
