A massive hack of legitimate websites has been spreading malware to visitors' PCs, using a new tactic that has made detection "extraordinarily difficult," according to security experts.
The hack, which involves several hundred sites, may be related to a November 2007 break-in at Fasthosts, a UK-based hosting service that in early December that saw the theft of some clients' log-in credentials.
"All of the affected domains either have or have had a relationship in the recent past with Fasthosts," said Mary Landesman, a senior security researcher at ScanSafe, who initially highlighted the attack.
Like the large-scale hack prompted by a series of SSQL injection attacks last week, the sites identified by ScanSafe are legitimate URLs, many of them small e-commerce sites. Among them are a bicycle shop and several tightly focused travel sites, said Landesman. Most, although not all, are businesses located in the UK.
That has caused real problems for researchers, including Landesman. In typical attacks, such as the SQL injection mass compromise, researchers can easily capture the attack code, analyse it and even use Google to search for other infected sites. Not so in this case.
Paul Ferguson, network architect at Trend Micro agreed. "It makes it extraordinarily difficult," he said.