The perpetrators behind the notorious Storm Worm trojan and botnet have unleashed several waves of holiday-inspired bogus email messages recently, and they may not be able to resist the ultra high profile offered by the NFL's championship game, he noted.
Additionally, Hubbard said, a number of domains with Super Bowl-related URLs have been registered, but the destination sites for these URLs have yet to materialise raising the possibility that a number of malware-infused sites will pop up in the next few days hoping to snare fans googling myriad Super Bowl sites.
While Super Bowl-related phishing emails and bogus game sites containing malware may be inevitable, perhaps the ripest potential targets are the largest legitimate Super Bowl websites – like the official game site (www.superbowl.com and the Patriots' website, which now are notching millions of visits per day.
Last year, the website for Dolphins Stadium, which hosted Super Bowl XLI, was victimised when a JavaScript-enabled trojan was inserted in the homepage for the site.
Hubbard told SCMagazineUS.com that the increased sophistication and interactive functionality of the major Super Bowl websites also may have increased the vulnerability of these sites.
These official sites are constantly adding bells and whistles, including functions that encourage users to contribute content. These features are going up so quickly, essentially they are in beta and released at the same time,” he said, adding that Super Bowl site managers must be constantly vigilant in scanning their sites for vulnerabilities, keeping pace with would-be hackers who no doubt are doing the same thing.
Websense Security Labs was in the forefront of the discovery of the hack of the Dolphins stadium and team websites. A JavaScript-enabled trojan, attempting to exploit vulnerabilities in Internet Explorer's handling of vector markup language, was inserted in the sites' homepages, enabling hackers to steal information from visitors for several hours before alerts were issued.
Websense's Threatscanner system detected the malicious code and automatically generated a warning telling users to stay away from the Dolphins' site, Hubbard said. When a Websense customer asked the internet security firm to explain the warning, Websense posted an alert and notified Dolphins Stadium officials, who in turn notified the FBI.
See original article on scmagazineus.com