“Baiting” Web Surfers
by Sunil JamesIn case you haven’t already heard, a variety of websites, including those with content about “fish and tackle,” have been identified as having been compromised so that when people browser to the site, they’re then re-directed to an alternate location, where the host is then compromised so that attackers could then steal potentially sensitive data, and employ the host itself to launch future attacks.
Fish and tackle….wow.
What I find particularly interesting about this is not the technical aspects of how exploitation occurs, but rather the measured approach employed by one or more individuals to execute such an attack. As with any product acquisition, the first step is for the buyer to identify a set of vendors with the desired product. In this case, the attacker acquired an exploitation framework that employed rigorous software engineering processes and was distributed and marketed in a fashion similar to mainstream software. By that, I mean that the framework purveyor(s) developed marketing collateral, offered tiered product and service pricing, and offered one year of support. From there, the attacker folded the tool into the pre-built network of compromised hosts and waited for users to be compromised; all the while being provided with up-to-date statistics about who was being exploited, what country they were based in, and what exploits were most effective.
Rather than employ web servers hosting illegitimate content, the attackers employed primarily Italian web servers hosting fairly benign content, including: tourism, hotels, automotive, movies and music. August in Italy is notorious for effectively being one long holiday. That makes these web servers are ideal targets, as a multitude of vacationers (not just Italian or other Europeans) are visiting these sites and seeking information about how to spend the holiday.
This methodical approach is consistent with an unnerving trend of attackers employing re-usable systems for future financial gain (see Danny’s “Botconomics” post to learn all about this). In the short-term, the attackers will likely employ the stolen financial information to build a larger network of compromised hosts. The attackers themselves can subsequently utilize that network, or they can seek some sort of “ROI” by “leasing” out the network to other attackers. Either way, this case further emphasizes the importance of security vendors and service providers doing as much as possible to provide Internet users with as safe a browsing experience as possible. While hosts should certainly be patched as quickly as possible, network security vendors (like us) are working with service providers who own the “pipes,” thereby allowing us to attack this problem from a different, hopefully more successful, perspective.
