SAN DIEGO – Websense Security Labs discovered a new Chinese attack method that has infected hundreds of thousands of reputable websites where users are automatically redirected to a malicious site that installs a keylogger to capture sensitive information.
According to Stephan Chenette, manager of Websense Security Labs, these attacks are originating from China and have infected sites such as a UK recruiter site and a United Nations event site.
“What [the attackers] have done is created a mass scale SQL injection attack allowing them to put a malicious IFrame on all these sites,” said Chenette.
An IFrame is a special HTML tag that goes into the source code of a webpage.
“In the source is an IFrame that automatically redirects users to a malicious website,” said Chenette. “There is an exploit on that page that takes advantage of their browser and a keylogger is installed automatically without knowledge to the user.”
He added that the keylogger on a user’s machine is being used to steal key strokes that look for passwords, user names, confidential and private information. This information is then sent back to the malicious host.
Chenette said that these attackers use a tool that leverages Google’s search engine to try and find vulnerable machines on the Internet so that they can spread the IFrame even more.
Even though Websense only noticed these attacks in the last few weeks, it actually started in December 2007.
“These attackers were creating a lot of tools to attack smaller websites specifically in China to gage how successful this attack will be and optimize the tools being used [before] launching a larger scale attack,” noted Chenette.
He added that the attack is still ongoing but has scaled down a bit. However, what makes it difficult to stop is that users are no longer being redirected to one host but to multiple hosts that number 50,000 or 60,000.
Chenette said that eventually this attack will stop but in the meantime, he suggested that website owners and creators need to take a closer look at their ASP code as these attacks have predominantly hit Microsoft’s IIS servers.
“They need to validate the input from users,” he added. “One of the difficulties of the web today is much of the web content is created by users themselves as oppose to site owners and because of this it has become easier for attackers to actually take advantage of code that has been written for these websites.”
As well, Chenette recommended that website owners keep their website servers patched at all points.
For end users, Chenette said that they need to be skeptical at all times of what websites they are visiting and if they receive an e-mail with a particular URL, they should always be cautious in terms of not trusting it and not clicking on it automatically but making sure they look into what the URL is beforehand.
This column was written by Vanessa Ho of ConnecIT
a>>
