Thousands of sites stung? What by Bees?Wasps? or Scorpions?

June 2009

As many as 40,000 Web sites have been hacked to redirect unwitting victims to another Web site that tries to infect PCs with malicious software, according to security vendor Websense. The affected sites have been hacked to host java_script code that directs people to a fake Google Analytics Web site, which provides data for Web site owners on a site’s usage, then to another bad site, said the threat research manager for Websense. Those Web sites have likely been hacked via a SQL injection attack, in which improperly configured Web applications accept malicious data and get hacked, the researcher said. Another possibility is that the FTP credentials for the sites have somehow been obtained by hackers, giving them access to the inner workings of the site. It appears the hackers are using automated tools to seek out vulnerable Web sites, the researcher said. The latest campaign underscores the success hackers have at hosting dangerous code on poorly secured Web sites. Once a user has been directed to the bogus Google analytics site, it redirects again to another malicious domain. That site tests to see if the PC has software vulnerabilities in either Microsoft Corp.’s Internet Explorer browser or Firefox that can be exploited in order to deliver malware, the researcher said. If it does not find a problem there, it will launch a fake warning saying the computer is infected with malware and then try to get the user to willingly download a program that purports to be security software but is actually a Trojan downloader, he said. The fake security programs are often called “scareware” and do not work as advertised. As of May 29, only four of 39 security software programs could detect that Trojan, although that is now likely changed as vendors such as Websense swap malware samples with other companies in order to improve overall Internet security.