Researchers on Friday continued to monitor a widespread IFRAME attack that exploits visitors to legitimate websites by installing an information-stealing trojan on their machines.
As many as 20,000 different web pages have been impacted by the assault, which uses SQL injection to hack into vulnerable web pages and then drops a payload on users' computers that are not updated with the latest Microsoft patches, experts said.
Users may have difficulty knowing whether they are being compromised because the attack plays out behind the scenes, without any initiation required, Craig Schmugar, threat research manager for McAfee Avert Labs, told SCMagazineUS.com on Friday.
The hacked pages contain an IFRAME that points to a malicious website, which installs a password-stealing trojan if users' machines remain open to a number of previously patched Microsoft vulnerabilities, including a Microsoft Data Access Components flaw documented in bulletin MS06-014.
The trojan is inactive if the compromised machine is idle, but once Internet Explorer is launched and the user enters a password, the malware comes alive and sends the stolen information back to a server in China, according to the Shadowserver Foundation, a nonprofit that monitors internet attacks.
Schmugar said the payloads vary, but a prevalent one seems to be after passwords to online games, such as Lord of the Rings
The hacker site is hosted on 2117966[dot]net, SANS Internet Storm Center handler Kevin Liston wrote
on the organization's blog on Friday. Businesses are encouraged to block this site at their web proxy, he said.
Schmugar said that the attackers are going after lesser known, but trusted websites.
"They're not top-tier sites that everyone's heard of, but they're still dot-coms and dot-nets," he said. "I view this as a crime of opportunity. The attacker seems to be scanning the web and finding as many vulnerable sites as they can to attack."
Website operators are advised to run security scans to detect deficiencies in code, Schmugar said. Meanwhile, the Shadowserver Foundation recommends that organizations consider blocking traffic from the malicious IP address, 220.127.116.11.
Through their study of the attack, McAfee researchers also have detected more than 200,000 trusted web pages that are serving up a socially engineered, click-fraud trojan if users agree to install a malicious codec, Schmugar said.
This is caused by a bug in an older version of PhpBB, an internet forum package written in PHP that runs on many websites, Schmugar said. The payload forces users' PCs, without their knowledge, to click on ads to increase revenue for cybecriminals.
Still, researchers do not consider this event as serious as the SQL attack because user interaction is required for compromise.