Researchers Warn of Powerful New Data Theft "Cocktail"

By Matthew Hines  |  Posted 2009-08-25 Print this article Print

Researchers with online security services provider ScanSafe are warning of a potent new blended attack that seeks to steal end users' personal data and is spreading rapidly across the Web.

Mary Landesman, senior security researcher with ScanSafe, said in a brief blog post that the powerful "cocktail" of backdoor, password stealing malware and Trojan downloader attacks is being discovered on a growing number of Web sites, having tracked over 55,000 such infected URLs in only several days time since first discovering the nefarious package.

The attack is being loaded onto sites via a malicious iframe, she said, infecting large numbers of otherwise legitimate URLs. The iframe itself is using an intermediary site which downloads the other threats from an assortment of other malware domains, Landesman said.

It's not unusual for attackers to use such a layered distribution approach these days to thwart efforts to stop their campaigns by shutting down individual URLs that they've employed.

A Google search on the intermediary site used in the blended attacks at the end of last week turned up masses of pages already owned by the sophisticated package, including,, and a number of charitable and nursing facilities, including,,, and

According to ScanSafe, the domains involved in spreading the attack were registered only in early August and include,,,,,, and, with leading the way in terms of distribution.

The involved attackers are using popular hosting providers including to register their domains, which remain online and volatile, the experts reported.

Researchers have long been warning of the increasing use of such combined attacks as schemers seek new ways to distribute their work faster and more effectively.

The newly discovered example appears to be particularly effective based on the fact that it has been able to find so many legitimate sites that it can load itself onto in a short period of time.

End users should expect to see continued use of both the blended approach and the multi-tiered distribution model, as they continue to see increased adoption among attackers as they seek to keep their threats rolling even as researchers sniff them out.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel