NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0469 Transient Hacking Cyber Operations Increasing:
In what is being termed "transient hacking," cyber operations are increasingly
using temporary access to legitimate web sites and manipulating search engine results
to infect or co-opt internet users' computers, according to a study by AVG
Technologies cited in a recent online press report. AVG's chief research officer,
Roger Thompson, says the technique counters defensive measures that rely on blocking
certain IP addresses and forces victims to "play a losing game of whack-a-mole."
The study identified three main types of transient hacking:
(1) moving malware on and off of legitimate sites
(2) swapping malware in and out of legitimate banner ads on respected sites
(3) poisoning search engine results
The operations often leverage iFrames, which typically are not detected on a
legitimate web page. Thompson says the iFrames - generally about a pixel wide
- are embedded "so you can't see them. The whole point of an iFrame
is to embed some data from another site without taking you off that site.
There's nothing you can see unless you're really alert."
The banner ad approach was used on the recent MLB.com and MTV.com hacks, he says.
Attackers change a link in the chain of the legitimate ad (on a legit site) to a
malicious one, typically swapping it in and out of the ad so it is not as noticeable.
"These come in waves and are hard to pin down," he says.
The recent search engine transient attacks are especially clever,
according to Thompson. Attackers find a popular search term, set up a fake link
on that topic, and send their bots to that link to pump up the search numbers,
escalating it to the top of the search engine results. "They're not
hacking web sites, just getting the search engine to store iFrames in the
searches," he says, in hopes that a user will click on the link in their
search results.
Savvy search engines reportedly detect the malicious links and purge them from search caches, but
the attackers just send another 100,000 bot hits to another link using another popular search term.
"Search engine manipulation is the eitome of a transient hack," Thompson says.
(www.darkreading.com 04APR08)