New hacking technique shields attackers

A new report issued by UK-based security vendor Finjan shows that attackers are using IP addresses to mask a malicious Web page and avoid detection.

A new sophisticated attack method tracks IP addresses of visitors to a particular Website and then uses the addresses to mask a malicious Web page to make it disappear.

Using evasive attacks, hackers manage to control the visibility of the malicious code by serving the malicious code to certain IP addresses.
Yuval Ben-Itzhak,
chief technology officerFinjan

Finjan chief technology officer Yuval Ben-Itzhak said the sophisticated attacks can bypass signature-based and database-reliant security technology. Using the IP addresses of Website visitors, the attackers restrict exposure to the malicious code to a single view from each unique IP address. All traces of the initial malicious page completely disappear, Ben-Itzhak said.

"Using this technique hackers can infect more users and avoid detection," he said. "This could provide a lot of power to hackers."

Finjan released its threat report at the Gartner IT Summit in Washington.

Ben-Itzhak said Finjan is also tracking a rise in affiliation networks that use a hosted-model for malicious code packages to compromise popular Websites and government domains.

"Hackers are motivated by money and not fame anymore," he said. "Hackers no longer deface Websites. They now add an IFrame or HTML element that connects the user to malicious code."

Listen to the interview with Finjan:
Security Wire Weekly Special Edition: News Writer Bill Brenner interviews Yuval Ben-Itzhak, chief technology officer of Finjan.

Download MP3 | (Runtime: 3:56)

Websites use IFrames to embed an HTML document inside the main Web page. Participants in the affiliation insert a reference to the malicious code in various Websites. The website owners are then paid according to the number of infected visitors to the site.

Ben-Itzhak said the type of attack has been reported in recent months by several security vendors.

"We have very exciting evidence that shows the massive amount of important data that hackers are collecting from thousands of users," he said. "We don't know how many are on the same network, we but definitely know that there are many teams and many networks like this and many examples of Trojan servers collecting information."

In addition to hacking networks, Finjan researchers have found malicious code contained in display ads from third party advertising networks. Finjan said that many of the display ads come from legitimate Website owners who sign up with third party advertising networks hoping to generate revenue from their blog or Website.

"We've tried to track the relation between site owner and the display add with the affiliated ad network to figure out who to blame, but we ended up with no conclusion," Ben-Itzhak said. "In many cases the blogger is not aware and probably subscribed to the ad affiliation program with the hopes of getting more money."

Read more on Hackers and cybercrime prevention