Symantec reported the worldwide infection of 3,500 public servers with a malicious script that redirects victims to other compromised websites that could be used to download malware and which the company said could be part of a recon effort for future attacks.
The security firm detected the script using the company's Intrusion Prevention System signature, which detects when a hidden script injected in a compromised website is used to redirect users to a website hosting malicious code and is triggered when a user browses a compromised website. Symantec said the compromised websites all used the same content management system.
At this time no malware was associated with this injection attack and does not lead to any malicious downloads.
“It is likely that the attacks are a reconnaissance activity to learn more about users and utilize that information in another attack. The possibilities for future attacks include the delivery of advertisements, SEO poisoning attacks, or criminals modifying the code to deliver malware and compromise unprotected users,” wrote Christian Tripputi, a security support manager for Symantec.
The scripts then collect information to include: page title, URL, referrer, Shockwave Flash version, user language, monitor resolution and host IP address.
About 75 percent of the infected websites, generally business, .edu and government types, are located in the U.S.