Web attacks via ARP spoofing
Individual web servers can be used to deploy malicious code - for example via IFrames - even if the servers themselves have not been infected. The Chinese Internet Security Response Team (CISRT) reported an incident in which their own web server became the victim of such an attack. Although the method itself is far from new, it has not so far been used extensively in this context. Attackers will infiltrate a server or virtual domain server operated by a web hosting service and use ARP spoofing techniques to divert connections between the gateway and other web servers via the infiltrated server.
A special proxy will then embed an additional IFrame into those web servers' responses which will, in turn, retrieve specially crafted code from another malware server to infect the visitor's system via browser vulnerabilities. According to McAfee, some versions of the web attack toolkit MPack used by cyber criminals support ARP spoofing.
The advantage of this method for attackers is that only one system needs to be infiltrated, making it more difficult to trace the attack. There is also no need for mass hacks. However, ARP spoofing is not possible in every environment. The systems of good web hosting services are either configured to be immune against ARP spoofing or can detect these attacks very quickly.
- ARP Spoofing: Is Your Web Hosting Service Protected?, McAfee's blog entry