UK websites at centre of new mass hack attack

A massive hack of legitimate websites has been spreading malware to visitors' PCs, using a new tactic that has made detection "extraordinarily difficult," according to security experts.

Share

A massive hack of legitimate websites has been spreading malware to visitors' PCs, using a new tactic that has made detection "extraordinarily difficult," according to security experts.

The hack, which involves several hundred sites, may be related to a November 2007 break-in at Fasthosts, a UK-based hosting service that in early December that saw the theft of some clients' log-in credentials.

"All of the affected domains either have or have had a relationship in the recent past with Fasthosts," said Mary Landesman, a senior security researcher at ScanSafe, who initially highlighted the attack.

Like the large-scale hack prompted by a series of SSQL injection attacks last week, the sites identified by ScanSafe are legitimate URLs, many of them small e-commerce sites. Among them are a bicycle shop and several tightly focused travel sites, said Landesman. Most, although not all, are businesses located in the UK.

But in almost every other way, this was a different, and much more sophisticated, attack. "Usually, in an attack like this, code is injected into the [site] pages, and that code is static," Landesman explained. "In these, it's completely different. The JavaScript that was being created and the reference [to it] was being generated dynamically."

That has caused real problems for researchers, including Landesman. In typical attacks, such as the SQL injection mass compromise, researchers can easily capture the attack code, analyse it and even use Google to search for other infected sites. Not so in this case.

"The method made it extremely difficult to tell who else might be impacted," Landesman said. "Here, the JavaScript was being generated dynamically and the file name was random, so we didn't have a common denominator. From a forensics standpoint, that hampers things greatly."

Paul Ferguson, network architect at Trend Micro agreed. "It makes it extraordinarily difficult," he said.