The sites were injected with HTML code that attempted to load malware from a malicious web server – robint.us – onto visitors' PCs, researchers said. All of the affected sites are hosted on Microsoft Internet Information Services (IIS) web servers, and are using Active Server Pages software from ASP.net, David Dede, lead security researcher at malware detection solutions provider Sucuri Security, told SCMagazineUS.com on Thursday. The attacks, however, are the result of vulnerabilities in third-party web applications and do not demonstrate holes in Microsoft software, Microsoft has said.
“Looking at the logs, the attackers were scanning for multiple vulnerabilities, trying different SQL injections,” Dede said.
In the case of the Wall Street Journal, the infection was the result of a compromised third party, adicio.com, which provides real estate listings that displayed on certain pages of the WSJ.com website, Mary Landesman, a senior security researcher at Cisco, wrote in a blog post Wednesday.
The attack, discovered earlier this week, also affected the websites Servicewomen.org and Intljobs.org. On Tuesday, around 10,000 websites were infected, Dede said. Many sites had more than one page affected, causing the total number of infected pages to reach more than 100,000 earlier this week.
Most of the impacted sites, including the Wall Street Journal, Jerusalem Post and Servicewomen.org, have already removed the malware. Approximately 7,000 web pages currently remain infected, researchers said. The malicious web server was taken offline approximately 24 hours after the attack began, so sites that currently remain infected are no longer distributing malware.
Landesman said attacks like this are nothing new.
“Many of these same compromised pages have been repeatedly compromised in one SQL injection attack after another since 2007,” she wrote in a separate blog post Tuesday. “Attacks like robint.us are just one of over a thousand unique attacks carried out via the web each month.”
SQL injection attacks are popular because a lot of applications are still vulnerable, and the technique is easy for cybercriminals to pull off, Dede said.
Additionally, he said, the sites that were affected in this compromise may still be vulnerable to getting attacked again.
“They got hacked through SQL injection,” Dede said. “So, if they didn't fix [the SQL vulnerability], they can get hacked all over again.”
