In its Global Threat Report, ScanSafe reported a 35 percent increase in Web-based malware in April. The increase was driven by two separate series of attacks — an expanding iframe injection on middle tier sites that comprise the so-called “Long Tail’ of the Web — as well as a much higher profile SQL injection attack that affected thousands of websites — including many well known sites such as the United Nations.
What we saw in April was a one-two punch. In addition to the much publicized SQL injection attack, Web surfers were impacted by the mushrooming of an attack on mid-tier websites. While individually these mid-tier sites may not pack in the visitors, collectively they make up what’s often referred to as the Long Tail of the Web. Ongoing investigation by our Security Threat Alert Team indicates this is a large scale attack that is growing exponentially and is not being detected by the majority of Web crawlers.
For example, several searches on infected sites using a newly launched security feature on Yahoo! powered by McAfee SiteAdvisor did not flag or block the sites.
The attack on these Long Tail sites began in December 2007, but has exploded in recent weeks. In April, nearly 50 percent of ScanSafe’s corporate customer base tried to access one of these sites, but were protected from the malware. Examples of impacted sites (which have since been cleaned) include:
- YeahBaby.com – which provides information for expectant parents and parents of newborns and toddlers
- Flowercarole.com – a collection of fruit smoothie recipes
- Soccercommercials.com – a collection of soccer commercials from around the world
There are several commonalities among the compromised sites that indicate the likelihood that this is a coordinated attack being carried out by one person or group of people. All of the affected sites in the Long Tail attack contain an identical malicious iframe and all exhibit specific behavior designed to thwart casual investigation. The iframe loads exploit code that can expose surfers to malware that can steal passwords or open backdoors to access infected PCs. The malware hosts involved in the attacks are hosted in both Turkey and China. ScanSafe believes the attackers initially gained access to the sites via a compromise in webmaster FTP credentials — allowing them to hack the sites and gain access to host servers.
Earlier in April, ScanSafe reported on the latest round of SQL injection attacks, estimated to have impacted over 500,000 sites — including many brand name sites. According to ScanSafe, the April attacks are related to a series of attacks targeting Active Server Page (ASP) and Microsoft SQL Server that first appeared in October 2007. High profile victim sites have included the U.N., Ikea, the city of Cleveland and Computer Associates (all these sites have since been cleaned). While earlier waves targeted obscure pages on affected sites, the attacks in April targeted more frequently visited pages.