Last week’s OpUSA attacks resulted with no high-profile sites knocked offline, and damage limited to relatively unknown sites compromised and defaced. Still, the attack did show how hackers operate and “claim” their results in high-profile hacking “operations” like OpUSA. Using information provided both by the Smart Protection Network and the attackers themselves (via Pastebin), we were able to see, in part, how these attacks happen. What we found was that the attackers likely “stockpiled” an arsenal of compromised sites ahead of time to enable them to initiate a broad attack without warning.
We first looked at the sites that hackers had compromised as part of the OpUSA campaign. It quickly became apparent that there were patterns in the compromised URLs: the attackers had frequently uploaded files with names like islam.php, muslim.htm, jihad.htm, and usa.htm to the compromised site. A legitimate visitor would never visit or see these particular URLs, as they were completely separate from the main site and, in effect, “hidden”.
Looking at the feedback data provided by the Smart Protection Network, we found something very curious. We found that the URLs that fit the pattern had been accessed the day before the alleged attacks, on May 6. Legitimate users would not be visiting these sites, as we said above. So who was visiting these URLs?
Based on other evidence, we were able to determine that the sites had been compromised at least two days before May 7. This indicated that the traffic we saw was probably malicious – the attacker, perhaps, checking that the (compromised) site was still up.
Figure 1. Near-identical lists of compromised sites
However, the attacker was not doing so directly. We believe that the attacker was doing so via an infected machine that he was using as a proxy; one particular machine that was used this way had detected 89 malicious or suspicious files and accessed 173 malicious websites in the past 30 days. This indicates this particular machine had already been extensively affected by malware, and was in use by cybercriminals for all sorts of purposes – including as a proxy “service”.
Figure 2. Number of malicious files detected
What can users learn from this event? Primarily, it’s to treat the damages claimed in these sort of “campaigns” with some skepticism. Based on what we saw, attackers can “stockpile” compromised sites and release them when a major “campaign” like this is conducted, to make their claims of damage more impressive.
For security professionals, it’s a reminder that campaigns like OpUSA are not always a good indicator of when threats are likely to escalate. Preventing infection ahead of time can ensure you’re not caught up when attackers “flip the switch” on these high-profile campaign.
We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.