funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Researcher Finds Evidence of Massive Site Compromise

From: "Paul Ferguson" <fergdawgster () gmail com>
Date: Thu, 2 Oct 2008 21:49:18 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Via ComputerWorld.

[snip]

 Several criminal gangs have acquired administrative log-in credentials for
more than 200,000 Web sites -- including the one used by the U.S. Postal
Service -- and have used the compromised domains to attack unsuspecting
users' PCs with a notorious hacker exploit kit, a researcher said today.

More than a month ago, Ian Amit, director of security research at Aladdin
Knowledge Systems Inc., found and infiltrated a server belonging to a
long-time customer of Neosploit, a hacker toolkit used by cybercriminals to
launch exploits against browsers and popular Web software such as Apple
Inc.'s QuickTime or Adobe Systems Inc.'s Adobe Reader.

On that server, Amit uncovered logs showing that two or three hacker gangs
had contributed to a massive pool of Web site usernames and passwords. "We
have counted more than 208,000 unique site credentials on the server," said
Amit, "and over 80,000 had been modified with malicious content."

The site credentials were not the ends, but only the means. The 80,000
modified sites were used as attack launch pads: Each served up exploit code
provided by the Neosploit kit to any visitor running a Windows system that
had not been fully patched.

By examining the server logs, Amit was able to identify the sites whose
log-ins had been compromised; he is now working with law enforcement
agencies in both the U.S. and overseas, as well as with organizations like
US-CERT, to tell site operators they need to change their administrative
passwords, purge the malicious code and secure their sites.

[snip]

More:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&art
icleId=9116138

Unfortunately, this is not surprising. Cyber criminals are basically
operating without fear of retribution or prosecution. :-(

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFI5aRJq1pz9mNUZTMRAoqzAKDqjnx7tOHj4n44XSVoJ18RKUQsZgCg9wnm
+XHd27dGBkg5AM/Yu0CdV/8=
=czh+
-----END PGP SIGNATURE-----



-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: