Talk about letting your guard down.
Roger Thompson, chief research officer at AVG, has discovered a compromise in a National Guard site through which one of the agency’s URLs is now being used to distribute spyware.
The page in question, which belongs to the Texas National Guard, has been linked to another site somewhere in Russia, Thompson reports, to which visitors are being redirected via image files and targeted with a rootkit attack.
The involved National Guard URL appears as if it is under the control of the agency’s human resources office; however, visitors to the page who click on certain images are redirected to add-block-plus.net (don’t go there), which in turn links them to the domains that host the spyware threat.
The threat itself, which appears to prey on unpatched Windows machines, is of the fake AV variety and informs users who it has already infected that they need to pay $50 to get a program to clean their machines.
“Of course, anybody who watches this stuff a bit knows that this machine is now hopelessly nailed, and code has been installed in the background, and their pitch is that they’ll remove it for a mere $49.95, and insert your credit card number here, please,” writes Thompson on his blog. “And, of course, now that they’ve got your machine, they’re not going to let it go until they’ve got what they want, because they’ve installed a rootkit.”
And who knows what they’ll do with your credit card number.
As the expert points out, the attack may have been targeted at the site because the Texas National Guard is currently working full tilt to help the state dig out from Hurricane Ike.
Either the attacker knew that it was likely that the agency would have its defenses down or figured there might be increased traffic to the official URL, and thus more targets.
It just goes to show you that sites you might think are safest in the harshest of times can still be owned by the bad guys, and that the bad guys may very well may be preying on people’s assumptions to that end, or at least increased interest in such pages.
Stormy weather indeed!
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.