57,000 Websites Compromised in Mass Attack, ScanSafe Reports

ScanSafe has reported a massive compromise impacting 57,000 legitimate sites. When users visit the infected Web pages, they are greeted with a truckload of password stealers and other Trojans.

Security firm ScanSafe has uncovered a campaign that has compromised more than 57,000 Websites in a bid to dump gallons of malware on users' computers.

According to ScanSafe, the sites are being infected with a malicious iFrame via SQL injection. The iFrame in turn loads what ScanSafe Senior Security Researcher Mary Landesman described as a "potent Trojan cocktail consisting of backdoors, password stealers and downloader" on the compromised Web pages.

The iFrame points to an intermediary exploit site that loads additional exploits and malware from up to seven different malware domains.

"Analysis of the malware binaries indicates possible origin in China," Landesman told eWEEK. "However, SQL injection is a global problem, and certainly China is also a victim of these types of attacks. Currently, ScanSafe is tracking a separate wave of compromises involving SQL injection in which only Chinese Websites appear to be targeted. There are about 70,000 compromised Websites in China resulting from those attacks."

When ScanSafe first reported the attack Friday, it noted that roughly 55,000 sites were impacted. The victimized sites include feedzilla.com, latindiscover.com, and sites for several charitable and nursing facilities.

The malware is installed silently, Landesman said, and is currently directed at Windows PCs only.

Such mass compromises are not uncommon. In June, Websense detected the so-called"Nine Ball" compromise, which impacted more than 40,000 Websites. In addition, ScanSafe uncovered a similar campaign earlier this year known as Gumblar.