Home & Office

Websense: Hijackers target S'pore site

Security vendor reports Web site of local book and stationery store Popular Holdings fed visitors malicious code on Saturday; firm says problem has been rectified.
Written by Vivian Yeo, Contributor

SINGAPORE--The Web site of local book and stationery company Popular Holdings was hijacked on Saturday, according to a security vendor.

In an alert released Saturday, Websense said the Singapore site was compromised and infected site visitors with malicious code.

The obfuscated Javascript code redirected visitors to an exploit site using an Iframe tag--in the same style as the recent Gumblar attacks. Websense identified the exploit site as karlast.com, and subsequently suptullog.com. At the time of updating the post, the exploit site had been taken down, the company said.

Websense added in its blog post that Popular had been notified about the incident. Confirming this, a Popular spokesperson told ZDNet Asia the problem "was immediately addressed upon notification" on Saturday.

"Our IT team had not only cleaned up the malicious code, but had also strengthened the firewall and security measures for the Web site," Lynn Lee, marketing manager at Popular Holdings, said in an e-mail. "We found no loss of customer data after a thorough investigation, and the online store is still functioning as per normal via eNets' [highly-secured] payment gateway."

Lee added the company would continue its investigation on the malicious act, and take legal action if necessary against "unauthorized tampering" of its Web site, which is hosted in Hong Kong and jointly maintained with an IT team in Singapore.

Attacks continue to prey on Web sites
Separately, Trend Micro warned of a new wave of compromised Web sites that appears to be unconnected with the Gumblar attacks that began in March.

According to Trend Micro, the attacks carry the signature Gumblar approach--using a malicious Iframe embedded in a legitimate Web site. The Iframe redirects to another Iframe, which executes the obfuscated Javascript code. Some of the malicious files the exploit tries to download include info-stealers that try to intercept names, passwords and other account or installation information.

Websense last week also identified a new attack unrelated to Gumblar, which it said had infected 40,000 Web sites. On Gumblar, the security firm said the number of compromised sites peaked at 82,500 on May 26, and hovered around 50,000 at the end of last month.

Editorial standards