It is that month of the year when flowers are in full bloom and people celebrate them in festive events. And it seems that same eventful—but darker—tone can be used to describe the month of May for the security industry. Trend Micro has so far documented several mass compromises of Web sites around the world for this month. Yes, you read it right—the world over.
Here are the highlights of the notable Web site compromises we have seen in the past month:
It’s been a year since the infamous Italian Job attack of 2007. And in an apparent observance of its anniversary, a similar attack was seen compromising about 90 varied Italian Web sites, all hosted in Italy by a single hosting provider—the same one that hosted the thousands in last year’s large-scale.
TrendLabs discovered two forms of this compromise: one via an injected obfuscated script that redirects to a certain malicious URL, and the other via a readable iFrame and the same obfuscated script.
A survey of the site locations includes India, UK, Canada, France, and China. This observation suggests the attack as the work of an automated Chinese hacktool programmed to search through Web sites for vulnerabilities, creating the same .HTML file that has been used to launch various exploits.
Meanwhile, a malicious script was injected into half a million Web sites believed to be either using poorly implemented or older exploitable versions of phpBB. This event was involved a ZLOB Trojan among others that changes an affected system’s local DNS and Internet browser settings.
May 19 – Chinese Weekend Compromise
Also on the same date, Chinese-language Web sites were targeted in an attack that was meant specifically against China, Taiwan, Singapore, and Hong Kong. Google search results at the time of the attack showed 327,000 pages containing the malicious script tag.
The next day, several Web sites in Japan — including a popular music download site and a music company site — have been found injected with malicious code.
These are the hard facts, and these developments tell us that there could indeed be a trend that cyber criminals seem to favor this type of attack over other methods. For what it’s worth, our engineers also think that mass compromises are common (or at least not as uncommon as we think), it’s just that they are either found soon enough, or they remain unnoticed and consequently unreported.
These documented compromises appear to be not distinct incidents unto themselves, but rather one big organized attack that just involved different domains. However, it is also very much possible that there are different groups using the same tool, or a big organized group outsourcing to small-time hackers. Until solid evidence is obtained, these scenarios are speculations as of the moment. We are keeping a close watch.