A new sophisticated
attack method tracks IP addresses of visitors to a particular
Website and then uses the addresses to mask a malicious Web page to
make it disappear.
 | | | | | Using evasive attacks, hackers
manage to control the visibility of the malicious code by serving
the malicious code to certain IP addresses.
Yuval Ben-Itzhak,
chief technology
officerFinjan |
| | | | | |
| |
|
Finjan chief technology officer Yuval Ben-Itzhak said the
sophisticated attacks can bypass signature-based and
database-reliant security technology. Using the IP addresses of
Website visitors, the attackers restrict exposure to the malicious
code to a single view from each unique IP address. All traces of
the initial malicious page completely disappear, Ben-Itzhak
said.
"Using this technique hackers can infect more users and avoid
detection," he said. "This could provide a lot of power to
hackers."
Finjan released its threat report at the
Gartner IT Summit in Washington.
Ben-Itzhak said Finjan is also tracking a rise in affiliation
networks that use a hosted-model for
malicious code packages to compromise popular Websites and
government domains.
"Hackers are motivated by money and not fame anymore," he said.
"Hackers no longer deface Websites. They now add an IFrame or HTML
element that connects the user to malicious code."
Websites use IFrames to embed an HTML document inside the main
Web page. Participants in the affiliation insert a reference to the
malicious code in various Websites. The website owners are then
paid according to the number of infected visitors to the site.
Ben-Itzhak said the type of attack has been reported in recent
months by several security vendors.
"We have very exciting evidence that shows the massive amount of
important data that hackers are collecting from thousands of
users," he said. "We don't know how many are on the same network,
we but definitely know that there are many teams and many networks
like this and many examples of Trojan servers collecting
information."
In addition to hacking networks, Finjan researchers have found
malicious code contained in display ads from third party
advertising networks. Finjan said that many of the display ads come
from legitimate Website owners who sign up with third party
advertising networks hoping to generate revenue from their blog or
Website.
"We've tried to track the relation between site owner and the
display add with the affiliated ad network to figure out who to
blame, but we ended up with no conclusion," Ben-Itzhak said. "In
many cases the blogger is not aware and probably subscribed to the
ad affiliation program with the hopes of getting more money."