Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.
Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.

Thousands of compromised websites, including a Carnegie Mellon domain, appear to be linked to a campaign that redirects users to exploit kit landing pages.

According to Jérôme Segura, senior security researcher at Malwarebytes Labs, an Adobe Flash-based redirection script was injected in many of the impacted sites, as far back as July.

Once the Flash application code was embedded on targeted pages, visitors were redirected to a rotating list of subdomains, which were registered by attackers who could easily discard the URLs and obfuscate their attacks.

Users were then pushed to a landing page hosting the Angler exploit kit (EK), which installs malware of attackers' choosing if vulnerable software is detected and exploited, he wrote in a Wednesday blog post where he posted a graphic depicting the process.

In the attack on the Carnegie Mellon domain, the school's Department of Statistics home page was compromised with malicious Flash code in order to exploit Internet Explorer users and install a banking trojan, called Tinba, on their machines, Segura said. The Angler EK leverages the IE vulnerability CVE-2014-1776 to spread malware, he added.

In a Friday interview with SCMagazine.com, Segura said that he notified Carnegie Mellon of the concern, and that it appeared the malicious code was no longer on its site.

“I went to the site and didn't see it there, so I imagine it was addressed,” Segura said. The trend he's observed in the campaign, however, has been for attackers to quickly take advantage of compromised sites, then move on and target new ones in order to keep a low profile.

“It's kind of a one-time thing where you spread the code,” he explained.

Segura noted in his blog post that the Carnegie Mellon site was “built on the Drupal Content Management System (CMS), which recently suffered a serious SQL injection vulnerability,” but that attackers could have compromised the domain through a variety of other means, including cracking weak passwords.

In his interview with SCMagazine.com, he added that, in the last couple months the firm has seen an increase in Flash being used for exploits and as a “redirection mechanism” for saboteurs.

“I think it's even surpassed Java as the weapon of choice for bad guys. We are also seeing this in a lot of malvertising attacks where Flash-based applications are used,” Segura said.

In his post, he expounded on the attack trend.

“Flash applications are proving to be the tool of choice for cyber-criminals lately and unlike Java, whose browser plugin can be disabled without too many consequences, removing Flash will result in a seriously degraded browsing experience,” he wrote. “The best course of action is to keep the Flash Player up-to-date but that still won't prevent JavaScript from running in your browser,” Segura continued.

“Some people will recommend using NoScript or similar tools to better control what gets executed. While its effectiveness does not need to be proven, it remains a painful solution for any serious surfing,” he wrote.