NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0430 Mass Web Site Exploitation:
McAfee has reported a script-injection attack against some 10,000 web pages, apparently
designed to help attackers steal passwords from online gamers. "This attack involves
injection of script into valid web pages to include a reference to a malicious '.JS' file
(sometimes in the body, other times in the title section)," said McAfee's Avert Labs.
"The '.JS' file uses script to write an IFRAME, which loads an HTML file that attempts to
exploit several [existing] vulnerabilities." To site visitors, the web pages appear to be
unaltered, but the pages inject code that redirects the web browser to a malicious site.
This second site in turn installs a password-stealing Trojan on the user's machine. The
attack appears to emanate from networks in China, according to McAfee.
(www.darkreading.com 13MAR08)
McAfee researchers have detected a new large-scale hacking campaign that has been active for
approximately one week and has infected approximately 200,000 web pages. Most of the infected
pages are runnin the PHP Bulletin Board (phpBB) forum software, said McAfee. The compromised
pages are embedded with a Javascript file that links to the site hosting the attack. Rather
than attempt to exploit browser vulnerabilities, the attack attempts to trick a user into
manually launching its malicious payload using a "fake codec" social engineering trick.
"This contrasts [the 13March] attack in that the vast majority of those were active server
pages," explained McAfee researcher Craig Schmugar, referring to an earlier attack also
reported [above] by McAfee that compromised 10,000 web sites.
(www.vnunet.com 17MAR08)