"What we saw in April was a one-two punch," says Mary Landesman, senior security researcher, ScanSafe. "In addition to the much publicized SQL injection attack, Web surfers were impacted by the mushrooming of an attack on mid-tier websites. While individually these mid-tier sites may not pack in the visitors, collectively they make up what's often referred to as the Long Tail of the Web. Ongoing investigation by our Security Threat Alert Team indicates this is a large scale attack that is growing exponentially and is not being detected by the majority of Web crawlers."
For example, several searches on infected sites using a newly launched security feature on Yahoo! powered by McAfee SiteAdvisor did not flag or block the sites.
"The hackers behind this attack have been employing techniques to elude detection and as a result, the only way to block the malware is if the affected Web page is scanned in real-time."
The attack on these Long Tail sites began in December 2007, but has exploded in recent weeks. In April, nearly 50 percent of ScanSafe's corporate customer base tried to access one of these sites, but were protected from the malware.
There are several commonalities among the compromised sites that indicate the likelihood that this is a coordinated attack being carried out by one person or group of people. All of the affected sites in the Long Tail attack contain an identical malicious iframe and all exhibit specific behavior designed to thwart casual investigation. The iframe loads exploit code that can expose surfers to malware that can steal passwords or open backdoors to access infected PCs. The malware hosts involved in the attacks are hosted in both Turkey and China. ScanSafe believes the attackers initially gained access to the sites via a compromise in webmaster FTP credentials -- allowing them to hack the sites and gain access to host servers.
Earlier in April, ScanSafe reported on the latest round of SQL injection attacks, estimated to have impacted over 500,000 sites -- including many brand name sites. According to ScanSafe, the April
attacks are related to a series attacks targeting Active Server Page (ASP) and Microsoft SQL Server that first appeared in October 2007. High profile victim sites have included the U.N., Ikea, the city of Cleveland and Computer Associates (all these sites have since been cleaned). While earlier waves targeted obscure pages on affected sites, the attacks in April targeted more frequently visited pages. ScanSafe believes the SQL injection attacks will continue to grow in sophistication.
"It's unlikely we've seen the last of either of these attacks. Given the improved targeting and growing number of compromises, Web surfers will want to be increasingly cautious," says Landesman.
