Researchers with online security services provider ScanSafe are warning of a potent new blended attack that seeks to steal end users’ personal data and is spreading rapidly across the Web.
Mary Landesman, senior security researcher with ScanSafe, said in a brief blog post that the powerful “cocktail” of backdoor, password stealing malware and Trojan downloader attacks is being discovered on a growing number of Web sites, having tracked over 55,000 such infected URLs in only several days time since first discovering the nefarious package.
The attack is being loaded onto sites via a malicious iframe, she said, infecting large numbers of otherwise legitimate URLs. The iframe itself is using an intermediary site which downloads the other threats from an assortment of other malware domains, Landesman said.
It’s not unusual for attackers to use such a layered distribution approach these days to thwart efforts to stop their campaigns by shutting down individual URLs that they’ve employed.
A Google search on the intermediary site used in the blended attacks at the end of last week turned up masses of pages already owned by the sophisticated package, including www.feedzilla.com, latindiscover.com, and a number of charitable and nursing facilities, including howellcarecenter.com, sweetgrassvillagealf.com, www.foodsresourcebank.org, and morningsideassistedliving.com.
According to ScanSafe, the domains involved in spreading the attack were registered only in early August and include ahthja.info, gaehh.info, htsrh.info, car741.info, game163.info, car963.info, and game158.info, with ahthja.info leading the way in terms of distribution.
The involved attackers are using popular hosting providers including GoDaddy.com to register their domains, which remain online and volatile, the experts reported.
Researchers have long been warning of the increasing use of such combined attacks as schemers seek new ways to distribute their work faster and more effectively.
The newly discovered example appears to be particularly effective based on the fact that it has been able to find so many legitimate sites that it can load itself onto in a short period of time.
End users should expect to see continued use of both the blended approach and the multi-tiered distribution model, as they continue to see increased adoption among attackers as they seek to keep their threats rolling even as researchers sniff them out.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.
