The delay – Sunbelt Software researchers first notified the bank Thursday that its website was distributing 30 types of malware – was necessary to ensure complete removal, experts said. Often times, site engineers fail to shore up all of the holes, which may allow attacks to continue.
“You typically find that if the bad guys find a way to compromise one page, they compromise other pages as well,” Roger Thompson, chief technology officer of Exploit Prevention Labs, told SCMagazineUS.com. “We often see that the sites get re-hacked.”
The hackers, believed by Sunbelt to be part of the Russian Business Network (RBN) criminal gang, unleashed two server exploits that took advantage of machines not patched with the latest MicrosoftWindows updates, Thompson said.
Visitors to the bank's home page could have been infected if their machines were not updated with the MS06-042 bulletin, a cumulative fix for Internet Explorer that was issued in August 2006, or January 2007's MS07-004 update, which corrects a vulnerability in vector markup language.
It is unknown what mode of attack the criminals used to drop malicious IFRAME links on the site, but experts believe the gang may have injected a malicious script.
Jeremiah Grossman, founder and CTO of WhiteHat Security, told SCMagazineUS.com today that hackers now focus their attacks on website visitors.
Reports today said the Bank of India site was compromised through a U.S.-based hosting provider. Grossman said hosting providers often fall victim to silent attacks and they offer big targets because they provide criminals with access to thousands of sites.
Bank officials could not be reached for comment. It is unknown how many Americans may have been affected, but experts believe many US residents use the bank.
Thompson said end-users should be wary of similar website exploits, and they are more likely to be affected in the office than at home.
“Where they catch people is when they are doing their banking at work,” he said. “People think they're safer at work being behind the corporate firewall and corporate anti-virus, but companies tend not to patch automatically because they run a lot of home-grown applications.”
Grossman said bank customers should remember to patch their machines and run a platform or alternative web browser that attracts less attention from the malicious community.
“They're definitely out of harms way,” he said. “Nobody is going after these systems en masse.”
Bank of India website back online, without malicious code
By Dan Kaplan on Sep 5, 2007 2:56PM