One Site can end up a Malicious Hive

Monday, April 30, 2012 @ 02:04 PM gHale


One vulnerable web site may be able to fulfill a number of cyber criminal organizations, each one altering the site to serve its own purposes.

In many cases, websites end up compromised and altered to lead visitors to domains that push fake antivirus programs, which lately have become a great way for criminals to earn a big payday, security researchers found.

RELATED STORIES
Flashback Variant Hits Macs
Malware Beat Down: Flashback on Wane
Attack Vector: Phishing Real or Phony?
Tool to Counter Cyber Threats

Once they overtake the site, the attackers rely on Blackhat SEO techniques to increase traffic to their fake programs, said researchers at Zscaler.

In order to do this, they set up two different pages on the compromised domain. First, they create a spam page that search engines, security scanners and blacklisting mechanisms see as harmless. This page doesn’t contain any obfuscated code and performs the redirect via a PHP or .htaccess file.

The second page is the one that contains the redirect to a site in charge of performing the attack on users.

More recently, researchers identified a number of overtaken websites designed to send users to Fake AVs, but were also infected with a malicious piece of JavaScript which held an IFRAME injection that pointed to locations such as fbyvdtydyth.myfw.us/?go=2, or tds46.lookin.at/stds/go.php?sid=1.

Fortunately, search engines flag this JavaScript as being malicious fairly fast. That’s because the script is present on all the web pages and it goes before the original HTML code.

While in most cases users can protect themselves against such attacks by utilizing a lot of common sense and reliable security solutions, website administrators and owners should also act responsibly and check their websites as often as they can for any type of misuse.



Leave a Reply

You must be logged in to post a comment.