Samsung Web site hosts password stealing trojan

Samsung Web site hosts password stealing trojan

Summary: Samsung Web site stealing users banking passwords


update Samsung's US Web site is hosting a Trojan horse that logs keystrokes, disables antivirus applications and steals online banking access codes, according to Internet security firm Websense.

Visitors to the Web site are not affected by the malware and Websense believes Samsung's Web server has most likely been compromised in order to serve malware to users that receive spam messages or malicious IM messages.

Joel Camissar, Australian country manager for Websense, told ZDNet Australia that Samsung has been informed about the issue but has not yet removed the offending files.

"As of this morning [Sydney time] the malicious code on the Web site was still active," he said.

According to an advisory published by Websense, "The server appears to have been compromised and has been hosting a variety of files for some time. The most current code, which is still available for download, is a Trojan Horse that attempts to disable antivirus programs, modify registry keys, download additional files, and log keystrokes when connecting to banking Web sites."

Camissar admitted that it was possible that the hackers who compromised Samsung's servers would have been able to modify the company's Web site so visitors using a vulnerable browser would become automatically infected with the malware.

"Why not hack into a site that people are visiting that is a trusted brand? Trust is so important these days. People are being preached to by banks not to trust links [in unsolicited emails] -- that is something people are starting to follow. So if one does go to a site that is trusted, it is certainly a very easy way for hackers to compromise users," added Camissar.

Earlier this week, Dave Cole, director of Symantec Security Response, warned on his blog that hackers are exploiting Web technologies such as Ajax and JavaScript to compromise "trusted" Web sites with malware.

"It's worth noting that most high-impact attacks may be performed on popular sites where someone has embedded an attack in an otherwise benign location for user-created content, advertisements, or comments.

"Sure, there will be enticements to bring people to outright nasty sites loaded with exploits, but a more successful and insidious attack would leverage a person's trust of an already known, popular site," wrote Cole.

Cole said it is still early days for these kinds of attacks: "From port scanning to fingerprinting and basic network mapping, all done using the AJAX group of technologies, it's clear that we've only begun to see what's possible via malicious Web sites".

"While they may not have the immediate impact of a WMF-style vulnerability (ie: remote admin-level control), they leave no trace once the browser is closed and don't rely on a researcher uncovering a Godzilla-style hole in a popular Web browser," he added.

Last month, the School of Media, Film and Theatre at the University of NSW admitted that one of its Mac servers had been compromised and used to host a potentially malicious file, which was disguised as a Microsoft security patch.

Samsung was unavailable for comment.


Topics: Samsung, Malware, Mobility, Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Samsung Knew 4 months ago

    Samsung knew about this in May. I know because I reported it to the Director myself. The Director of IT at the Dallas office of SDSA was informed that we had received an email from CERT Brazil about this. We had verified it also. I was not with the company any longer shortly after this. So it should have been followed up on by them.

    So in short, they knew, and have known for months.
  • How about some actual information?

    So are we just supposed to guess how the trojan is delivered? Is it active-x? a download? Is this a 12 year old writing this?

    Thanks for nothing
  • Macs are immune to this.

    So I'd suggest buying one.
  • Specifics needed

    I agree with Rivett. I wish the story had specified what the offending files in question were. It would be helpful to those who have to visit the Samsung site or had downloaded anything from there recently.
  • Seems this is becomming more common...

    Sounds like, Samsung decided it easier to play stupid than to battle a hacker that was out of thier league. Sad really. I mean the number of users whom trusted Samsung that were infected and don't know it are probably astronomical by now.
    But not shockingly this type of trojan has also been sweeping the World of Warcraft player group as well (Most attempts done through the official WoW forums). As most users know very little of security or to not click on every link they come accross. Oddly enough this version only seems to be targeted towards getting users WoW account info to steal users online currency. :/
    Seems that also weeks earlier a similar Trojan was put in a banner on the gamming help site but was actually dealt with in a timely matter... unlike what Samsung is doing in this case.
  • Seems java is one deliverly method...

    From what I have heard it seems to usually be java is the offender (Which makes sense). But I highly doubt that is the only medium it could use to attack, just the flavor of the month for now. If you are a Firefox user, try NoScript for now. It at least will not allow a script till you allow it.
  • security