Thousands of Websites Have Been Compromised With Malicious Code

Symantec has recently identified thousands of websites that have been compromised with malicious code, which is used to redirect users to a compromised website. Of the compromised websites, 75 percent were located in the U.S. An injection attack relies on injecting data into a website in order to execute malicious code. It is then triggered when a user browses to the compromised website. Luckily, Symantec did not identify any malware associated with this attack.

 

The websites injected with this threat can be of any type and target a variety of organizations, including the following:

  • Business websites
  • .edu websites
  • Government websites

Once a malicious page has loaded in the user’s browser, the script waits 10 seconds and then runs code, which in turn runs additional scripts. These scripts can be used to collect the following information:

  • Page title
  • URL page address displayed by the browser
  • Referrer—so the attackers know how the user ended up on the current page and to possibly collect information about search term queries
  • Shockwave Flash version
  • User language
  • Monitor resolution
  • Host IP address

It is likely that the attacks are reconnaissance, which is when hackers perform research to learn more about targets and utilize that information in a future attack. Think of it as if the attackers have made a spider web, but nothing has been caught in the web- yet. This is likely a set-up for future attacks. The possibilities for future attacks include the delivery of advertisements, or criminals modifying code in order to deliver malware to unprotected users.

 

How to Stay Protected:
In this particular case, the only protection is current Internet security software. Luckily, Norton Security protects against this threat.