Massive Attack Infects 57,000 Sites

Security firm ScanSafe has reported a campaign in which more than 57,000 legitimised Web sites have been infected to load malware on visitors’ computers and steal their passwords

According to ScanSafe, the sites are being infected with a malicious iFrame via SQL injection. The iFrame in turn loads what ScanSafe Senior Security Researcher Mary Landesman described as a “potent Trojan cocktail consisting of backdoors, password stealers, and downloader” on the compromised Web pages.

The iFrame points to an intermediary exploit site that loads additional exploits and malware from up to seven different malware domains.

“Analysis of the malware binaries indicates possible origin in China,” she told eWEEK. “However, SQL injection is a global problem and certainly China is also a victim of these types of attacks. Currently, ScanSafe is tracking a separate wave of compromises involving SQL injection in which only Chinese websites appear to be targeted. There are about 70,000 compromised websites in China resulting from those attacks.”

When ScanSafe first reported the attack Friday, it noted that roughly 55,000 sites were impacted. The victimised sites include feedzilla.com, latindiscover.com and sites for several charitable and nursing facilities.
The malware is installed silently, Landesman said, and is currently directed at Windows PCs only.

Such mass compromises are not uncommon. In June, Websense detected the so-called “Nine Ball” compromise, which impacted more than 40,000 Web sites. In addition, ScanSafe uncovered a similar campaign earlier this year known as Gumblar.