'Italian job' attacks pick up steam

Powered by SC Magazine
 

GLOBAL - Ten thousand websites now unknowingly host mailicous attack.

A rash of web-based attacks that www.vnunet.com is quickly expanding and has now infected 10,000 website around the world.

When security researchers first noticed the threat, it has affected 1,000 Englished language websites that were all in .it domain for Italy. By Monday however, the attack had gone worldwide and had drawn the attention of the FBI.

The attackers behind the vulnerability use known exploits in webserver applications to post attack code on third party websites. The actual attack is carried out when a user visits a compromised site. It then redirects the user to another server that runs MPack, a web-based attack tool that delivers an exploit specially designed to target flaws in each individual user's web browser. The exploit installs spyware and a keylogger.

Traffic is bounced from the compromised sites to a server in the San Francisco Bay Area which then redirects to the attack server which is currently located in Chicago, according to Paul Ferguson, a network architect with security vendor Trend Micro.

Ferguson noted that the San Francisco server uses an IP address registered to an Hong Kong entity, and is hosted by a company that is notoriously slow in responding to complaints about illegal activities on its network. Because law enforcement is currently investigating the case, the name of the hosting service could not be disclosed.

Even though the attacks are carried out in the US, Ferguson said that the commercial status of the MPack tool makes it difficult to pinpoint the location of the criminals responsible for the attacks. The attack code sells on message boards for anywhere from US$700 to US$1000.

Whoever is responsible for the attacks did not launch them on a whim, noted Ferguson. The prevalence of affected sites, the use of a host that is known for harboring criminals, and the fact that the attack was launched at the end of the work-week are all indications that the operation was planned out extensively, he argued.

Fully patched systems however should be safe, because none of the vulnerabilities targeted by the MPack tool are zero-day flaws.

Both Trend Micro and Symantec recommend that users install all current vendor patches for both their operating systems and browsers. Trend Micro also recommends that network administrators implement both HTTP and spyware scanning systems, as well as restrict the ability of network users to load and unload device drivers.

Copyright ©v3.co.uk


'Italian job' attacks pick up steam
 
 
 
Top Stories
Westpac committed to core banking plan
[Blog post] Now with leadership.
 
The True Cost of BYOD - 2014 survey
Twelve months on from our first study, is BYOD a better proposition?
 
Photos: Unboxing the Magnus supercomputer
Pawsey's biggest beast slots into place.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  27%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  22%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1156

Vote