Hackers with a new scam are still managing to subvert hundreds of thousands of web pages with IFrame redirects, sending unwary users to malware-spewing sites, researchers say.
The attacks, which began about a week ago, show no signs of slowing, said Dancho Danchev in a yesterday. And there are hints that the attacks may be linked to the infamous Russian Business Network of hackers, which has been suspiciously quiet since November.
"The group is continuing to expand the campaign," said the Bulgarian researcher. "These are the high-profile sites targeted by the same group within the past 48 hours, with the number of locally cached and IFrame-injected pages within their search engines."
Danchev listed more than 20 sites that together account for more than 401,000 IFrame-injected pages. These include high-profile sites such as the US government's Medicare programme, the US Administration on Ageing and the North Carolina State University library, as well as questionable pages like BitTorrent sites hosting pirated software and other content.
The attacks "just keep growing", said Ben Greenbaum, a senior research manager with Symantec's security response team. Greenbaum explained that the attacks, which are not strictly site compromises, leverage the search result caches that these sites maintain.
Likely relying on an automated tool to do the dirty work, the hackers add IFRAME code to the saved search results on the sites, Greenbaum said. The next visitor that uses the search tool is then redirected to another website by the IFRAME code.
The second site in turn puts up a message telling the user that a new codec needs to be installed. Accepting the codec takes the user to still another site, which actually hosts the malware - a new variant of the Zlob Trojan horse - and installs it on the victim's PC.
"There are multiple levels of redirection going on here," said Greenbaum.
In his posting, Danchev said he had identified more than 100 bogus .info domains that were acting as the second-stage redirectors.
Trace it back far enough, and the path leads to the Russian Business Network (RBN) – a notorious organisation that hosts criminal's websites and provides them with domains from which they can launch their attacks.
"What this means is that known Russian Business Network netblocks are receiving all the re-routed DNS queries from infected hosts, thereby setting up the foundations for a large scale pharming attack," said Danchev.
"This tactic of poisoning recent search results in legitimate sites is new as of the last week or so," said Greenbaum. "But there are lots of things we can do to prevent this."
If users rejected the bogus call to install the codec, the string is broken, and no harm can come to them. Website operators, on the other hand, can take a number of steps, including properly sanitising all user input or not caching previous searches.
But Danchev was more pessimistic that the attacks could be halted quickly. "To sum up - it's a mess," he said.