Mass website hack aimed at online gamers
According to the latest analysis, the mass web site hacks which have been showing up over the last week are aimed at stealing access credentials for online games. The hackers' most prominent victims serving the malware have been the Wall Street Journal and the Jerusalem Post web sites.
The hacked web servers are all Microsoft Internet Information Server (IIS) and ASP-NET-based, but analysis by a number of security services providers has shown that the attacker has used SQL injection vulnerabilities in custom web applications to hack the websites. Administrators are advised to check their systems for any signs of interference and tampering.
The SQL injection vulnerability allows attackers to write their own HTML and JavaScript to the hacked sites content management system's database. Specifically, the attackers embedded code which uploads an exploit for the recently discovered vulnerability in Flash Player into an iFrame. The attackers code then tries to infect the hacked sites visitors' systems with trojans. It appears the attackers objective is to steal access data to Asian gaming websites such as aion.plaync.co.kr, aion.plaync.jp and df.nexon.com. The Flash Player vulnerability has been fixed in version 10.1.
According to web application firewall vendor Armorize, the attackers proceeded according to a careful plan. Prior to the SQL injection, scripts were used to probe sites for vulnerabilities and vulnerable systems were then infected with the zero day exploit. Armorize says that this was achieved using techniques for bypassing web application firewalls.
A Chinese group known as dnf666, which was also responsible for a major SQL injection attack in March, appears to be behind the attack.
See also:
- Adobe releases final version of Flash Player 10.1, a report from The H.
- Exploit for new Flash vulnerability spreading fast, a report from The H.
- Zero-day vulnerability in Adobe Flash Player, Reader and Acrobat, a report from The H.
- Another mass attack on websites, a report from The H.
(crve)