14 DAY TRIAL // A gang of hackers targeting infecting predominantly ASP and ASP.NET websites with malicious code, has launched a new attack that so far affected at least 1,500 domains.
"A large number of sites have been hacked again in the last few days with a malware script pointing to google-stat50.info (and google-stats50.info)," David Dede of Web integrity monitoring vendor Sucuri Security, warns.
"Not only small sites, but some big ones got hit as well. It is the same SQL injection attack as used in the robint-us mass infection of a few months ago," he adds.
The robint.us mass injection took place at the beginning of June and got a good coverage in the media because it affected the websites of the Wall Street Journal and Jerusalem Post.
According to Web application security vendor Armorize, the same hackers were responsible for similar attacks in March and July.
At the time, the company revealed that the gang was using a Web exploit toolkit to infect users with a trojan specifically designed to steal online gaming credentials.
Online gaming accounts are a valuable resource for criminals, who sell them on the underground market, especially in Asia, for significant profits.
Just as in the robint.us case, the websites compromised in this new attack are all using ASP or ASP.NET and are vulnerable to SQL injection.
There's no accurate estimation as to how many websites have been affected so far, but Google's Safe Browsing diagnostic page for google-stat50.info claims that it was used to infect 1,583 domains.
The diagnostic page for google-stats50.info (with plural for stat) lists a similar figure, but for both cases Mr. Dede explains that "the number is a lot bigger, since not all the sites got checked by Google."
Since these attacks attempt to exploit vulnerabilities in outdated versions of popular software users can protect themselves by keeping their applications up to date. Free tools like Secunia's Personal Software Inspector (PSI) can make this task significantly easier.
Antivirus vendors add detection for such exploits pretty quickly, so having an up-to-date AV program running on the computer when surfing the Web is a must.
Firefox users can also install the NoScript extension, which blocks scripts loaded from external domains, unless manually allowed by the user. This can thwart most of these attacks.