The visible link in the said email is a hypertext string that leads to the phishing URL:
hxxp://wcma.businesscenter.mlbank.bcprivate9054.wcmaloginea.aspxsystem.meetingid.12469.
programs.dvppserv.1291logon.info/WCMALoginEA.htm posed as the Business Centre’s home page.

Clicking on the said link connects the user to a URL where they are prompted to download a required “digital certificate.” However, the phishing site is already inaccessible as of this writing.

Sunbelt also warns users in their blog that this scheme is highly likely being used for other schemes as well.

ShareThis

According to Advanced Threats Researcher Jonell Baltazar, who discovered the compromise, the affected page, hxxp://www.honda.co.th:80/accord, was injected with a malicious script tag (detected by Trend Micro as HTML_IFRAME.QJ), which loads a page within the cleverly named getanewmazda.info domain. This page contains a script that looks for vulnerabilities to download and execute a certain file on the victim’s system. The downloaded file (which is named crypt.exe and saved as c:\winQZfio771.exe) is detected as TSPY_ZBOT.LA.

This compromise was discovered due to a feedback technology on our customers’ products. This mechanism allows our systems to monitor and block potential malicious URLs. In this case, a client visit to the compromised site automatically registered the HTML_IFRAME.QJ detection, thereby protecting the user from further infection. Trend Micro Web Threat Protection has prevented access to the compromised site, protecting customers from possible infection.

Below is a screenshot of the compromised page within the Honda Cars site. Note that the malicious script also affects both the English and Thai landing pages (main.html) after a user accesses any one of them:

The downloaded TSPY_ZBOT.LA, in turn, accesses yet another domain, where possibly more malicious files can be downloaded. As of this writing, our researchers found user names and passwords related stored in this domain, suggesting that it is used either as a phishing page or mere storage in which cyber criminals can easily retrieve stolen information.

This is not the first time a Thai site has been compromised. In the past couple of months, we have reported similar incidents affecting the sites of the Royal Thai Air Force and Udiya Tours of Northern Thailand, among others.

Note that this seems to be an isolated incident so as far as the Honda enterprise is concerned, only Honda Cars Thailand site has been injected with the malicious script. As of this writing, Honda Cars Thailand has promptly taken their site offline in order to address the matter.

Consolidated findings of the Advanced Threats Research, APAC RTL, and Web Threat Protection teams at TrendLabs

ShareThis

“The Tragedy of the Commons is a type of social trap, often economic, that involves a conflict over finite resources between individual interests and the common good.”

- Wikipedia

In a perfect world, we all understand that certain situations should not exist which put our critical infrastructure at risk — we all like to be able to have electricity, water, and other common utilities which we normally take for granted.

But we do not live in a perfect world, of course.

I have written about SCADA (Supervisory Control And Data Acquisition) issues before on this blog, but I’d like to renew & enjoin the public interest in certain recent events & issues which may put these resources at risk.

First, let’s look at the issue of “convergence”, or rather, “premature convergence” which seems to be a better definition:

“…premature convergence means that a population for an optimization problem converged too early, resulting in being suboptimal.”

- Wikipedia

This is similar to — what I believe to be — the situation wherein some unknown portion of the SCADA controls & operations community has strategically moved itself into: using the same platforms, operating systems, and software, which are now susceptible to the vulnerabilities that we all know too well. Buffer overflows, remote exploitation, denial of service vulnerabilities, and so forth and so on.

Now, this wouldn’t be a problem if these system were, in no uncertain terms, not connected to the Internet in any way, shape, or form.

But that is increasingly not the case.

Due to operational “optimization” (meaning: it is cheaper to use publicly available connectivity to manage these systems), the SCADA threat landscape now begins to look a lot like the network security landscape that we all know and respect — one of constant vigilance and constant defensive threat posture.

Within the past couple of days, there have been a couple of SCADA systems management platform vulnerabilities announced which could result in some rather serious exploitation. The SANS ISC reported yesterday a situation in which one software suite which “…provides unauthorized access, allows partial confidentiality, integrity, and availability violation, allows unauthorized disclosure of information, allows disruption of service.”

This seems rather serious. And I have been informed that there is at least one more similar vulnerability which has not been publicly disclosed yet.

As utility companies make operational decisions based on economic business savings (using the Internet, or an Internet VPN, to manage their client-control base to save money), the unintended consequences can be severe. When they occur. If they occur.

Throw the dice.

Let’s keep our fingers crossed that the SCADA community quickly comes to grips with the nature of network security.

“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research

ShareThis

Throughout the years, bulk mail has only morphed into various different forms (from text, to images, some bearing attachments, some links), with some forms evolving from mere unsolicited advertisements, to harbingers of phishing and even malware attacks.

On the antispam work grind, however, things look a little bit too familiar: the spammers faking “Better Business Bureau” (BBB) are at it again.

Unfortunate recipients who click on the link are brought to the following Web site:

This site requires” IE 5.5 or higher, which is incredibly strange, considering that the latest IE version today is already at 7. The 65kb file downloaded from the link (named ACROBAT.EXE) is detected as TROJ_AGENT.AOAR.

Around the same time last year we caught spam pretending to come from BBB telling the recipients that a complaint has been filed against them. The spam comes with an attachment which is actually TROJ_ARTIEF.A.

In a more recent instance, our Content Security team has found a phishing email which asks the user to visit a booby-trapped site. However, when a victim visits the site, the Web site displays a message informing them that an ActiveX control is required to view the page. Downloading the ActiveX control is, of course, not a good idea.

While these spammers never grow tired of recycling old tricks, it seems users are just as wont to open email messages out of curiousity anyways. Users are highly advised to activate antispam filters in their email applications along with antispam features that come with their security suite.

ShareThis

It appears that several thousand Web sites have been compromised — via SQL injection — with embedded malicious JavaScript that redirects users to two major malicious URLs (winzipices.cn and bbs.jueduizuan), both of which are now gaining quite the reputation as fellow researchers scramble to determine the “end game” in this extraordinarily convoluted attack.

Here is a general diagram illustrating basically what happens on the user side:

The Web site compromises were accomplished in a similar manner as were other recent mass compromises –- through poor .asp and asp.net configuration that allow exploitation via SQL injection.

WINZIPICES.CN

Legitimate, yet compromised, Web sites found to be hosting the (embedded) JS_DLDR.AW redirected visitors to an .ASP script which, in turn, redirects to any one of three URLs.

These redirections happen instantaneously, without the user knowing it. Some of these redirections lead to URLs that randomize an image in the Web page, a definitive routine that is used for advertisements. It also uses cookies to determine the TTL of the image and possibly change the image once the TTL expires.

However, a more dangerous path, of which the user has no way of determining (let alone stopping), ends in the download of JS_DLOADER.AEHM and TROJ_REALPLAY.BR. Both download TROJ_AGENT.AKVP on the infected system. This Trojan drops a copy of itself and downloads a file containing a list of malicious sites.

As one of our researchers closely followed on the heels of the 2.asp path, we have found yet more executables, including an autorun malware detected by our patterns as WORM_AUTORUN.CBZ.

While some of the involved files look harmless by themselves, closer investigation into their relationships with one another reveal a possible attempt at information theft.

For instance, a file named stat.htm includes the browser version, system language, and platform of the infected PC and then attempts to upload these statistics to a remote location. We have also stumbled upon a possible signature or marker in one of the files, a certain (graffiti) “Power by Cnzz.”

BBS.JUEDUIZUAN

This is another malicious URL than can be seen in various compromised sites (~1,510 pages). The redirection path in this case is found below:

JS_AGENT.ALIP is the offending script in this attack. Compromised sites found hosting this script have been modified to contain an iFrame detected as HTML_IFRAME.AAK.

The following malicious files are downloaded on the user’s system upon visiting (and being redirected from) compromised sites:

• JS_SENGLOT.C
• HTML_DLOADR.CJ
• JS_REPL.CB
• JS_AGENT.ALIG
• TROJ_AGENT.ALGQ
• EXPL_EXECOD.A (interestingly, this is a rather old detection that covers codes attempting to exploit various application vulnerabilities including Yahoo! Jukebox and Lianzong)

DAMAGE COUNT

The number of Web sites affected have reached as of 19:50 PDT is at ~9,000, among them several legitimate medical, educational, government, and entertainment sites all over the world.

A survey of the site locations already includes India, UK, Canada, France, and China. This observation suggests that instead of a Webserver compromise or a heavily targeted attack, this attack could have been the work of an automated tool programmed to search through Web sites for vulnerabilities.

Here are screenshots of a couple of the compromised sites:

Our researchers believe this is similar to the attacks earlier this year involving uc8010.com, ucmal.com, rnmb.net, etc., which appear to be related output of a certain Chinese language hacking tool (see image below):

Also, we have been informed that a new version of this tool has very recently appeared, and unfortunately, it is now free for public download (as well while the latest one) and is posted up for availability to anyone who wants to download it.

The resulting package — once all the hacker selected options have been selected — creates the same .html file that has been used to launch various exploits.

In particular (matching the snapshot of the kit), options in this kit reveal interesting translations such as “PPS Overflow” — which translates roughly to PowerPlayer Control exploit; “Thunder 0day” — which translates to XunLei Thunder Player exploit; “Real 0day” — which is most probably pertinent to the RealPlayer exploit, and so on.

Correlating the code snippets and the exploits which are used, this points to being the same gang that perpetuated nihaorr1.com on April 29th and which came live sometime Monday.

There have been similar attacks using older tools but it appears to be that using less files and less redirection has helped lend a hand in the growing number of affected sites. The fact that an updated version was just released last week doesn’t make next week’s forecast clear of this current style of attack either.

ShareThis

The use of movies as a social engineering bait by hackers is not new; in fact, it has sort of become a tradition that one has to expect every year. So while reading Entertainment Weekly’s “fearless” predictions for the season, we decided to come up with predictions of our own. Only this time we’re calling them “fearful” predictions, mainly because these are the types of predictions we hope would not come true.

1. Spammers and phishers will lure potential victims with raffle entries for tickets or merchandise. In 2005, Revenge of the Sith became the bait of choice of a Yahoo! phishing attack. Last year, spammers sent a supposedly short survey related to The Simpsons Movie in an attempt to gather email addresses. It will not be surprising if a similar tactic pops up this year, just in time when the anticipation for movies like Sex and the City or the X-Files sequel reaches fever pitch. After all, in the gaming arena, it has already happened with the release of Grand Theft Auto IV.

2. At least one malware will pose as an “exclusive” trailer, free movie passes for the premiere, or the “uncut version” of a movie. Unfortunately one has to download the “codec” or the “raffle entry form” first.

3. The official site of one movie will get compromised. Or a high-traffic fan site or blog, for that matter. Users who would want more information about a particular flick (show times, reviews, etc.) will click on the compromised page, where a slew of malware will be downloaded onto the unknowing victim’s computer.

Then again, with the ongoing trend of SEO poisoning and creating fake pages from scratch (which are laden with spammy links and keywords), users only need to Google a keyword in order to get infected. Speaking of SEO poisoning…

4. “Heath Ledger” will be once again a good keyword for poisoned pages. As the buzz surrounding the actor’s portrayal of The Joker in the upcoming The Dark Knight grows louder — some already claim it’s his finest role yet worthy of a posthumous Oscar — whose interest won’t be piqued?

ShareThis

It would appear that we have a developing issue originating from various locations in China for the past few days that we (security researchers) are still piecing together.

Over at the SANS Internet Storm Center, John Bambenek has posted (and also provided at least one update at this hour) a daily handler’s diary entry explaining that that they have had reports of a possible SQL worm, involving some domains, JavaScript, and URLs that first popped up on our threat radar on Monday (5 May 2008) morning.

Trend Micro has already proactively blocked access to these malicious domains and URLs (and the associated malicious “back-channel” background activity) while we push out a pattern update for malicious file and JavaScript detection.

Having said that, that’s the beautiful thing about hybrid Web Threat Protection (WTP) — we shrink the “time-to-exploit” window immediately by breaking the infection chain.

For now, please be assured that we are burning the midnight oil working on these issues, and will update this blog post as more details become clear. For now, please refer to the SANS ISC Daily Handler’s Diary for details, and we’ll post more as this developing incident unfolds.

One further note: While the numbers are only in the ~4,000 to ~5,000 range (still not small!), there are some very high-profile Web sites that seem to have been compromised in this attack.

PLEASE DO NOT GO SEARCHING FOR WEB SITE COMPROMISES. In this particular case, if you are not adequately prepared and protected, you can become a victim of your own curiosity.

“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research

Image source: Fugato.net

ShareThis

Below is a screenshot of the sample spammed email message:

It appears to be offering a free PlayStation 3 along with a copy of GTA IV. And the ironic (or appropriate?) come-on: “Enter the Criminal Underworld.” Clicking on the link leads the user to the following site:

Given the immense popularity of this online game, its reception by the online gaming community is no longer just hype. The days before the release provided great opportunities for spammers to trick online users into clicking the links in the spammed email messages. Users who did so were asked to provide their email addresses — instead of the supposed free version of GTA IV, affected users received more spam. This is a common technique used by spammers to check whether the email accounts they have gathered are indeed active. Users who click on links are therefore unwittingly signaling spammers that their email addresses are indeed working accounts.

Fans — in the millions no doubt — proved to be most vulnerable to this spamming operation. And who says “no” to the doubly irresistible promise of being able to play the game before everyone else — and for free, too!

Interestingly, last year’s release of another famous online game, Halo 3, was relatively quiet when it came to online security issues. Both of these games were heavily promoted and marketed, which doesn’t explain why we see the spamming just now. Maybe last year’s media-documented campaign by a Florida lawyer against the game creators makes the game controversial enough to warrant spammers’ time and attention.

As usual, users are advised to refrain from clicking on links regardless of how attractive the offers are.

Thanks to Trina Baetiong of Content Security for details regarding this spam run.

ShareThis

Last month started with an April Fool’s message being spammed around. The spammed email contained a link from where a variant of the Storm malware could be downloaded. Aside from that, we’ve had our usual fill of Trojans and malicious scripts that plagued compromised Web sites for April.

Notable Malware

TROJ_AGENT.AMAL
This Trojan poses as a browser plugin that must be installed first to view files that are supposed to come from a fake US federal judiciary Web site. Reported last April 15, the link to the fake site comes from spammed email messages claiming to be legitimate court subpoenas. To add credibility to the spammed email, the sender uses a uscourts.com email address, which may seem authentic to unsuspecting recipients of the message.

TROJ_SPAMBOT.AF
TROJ_SPAMBOT.AF is the Trend Micro detection for the malware behind Kraken, which is an emerging botnet rivaling the Storm botnet. Some researchers who have analyzed Kraken have stated that this may be a variant of the Bobax malware family.

TROJ_AGENT.AZZZ
Reported last April 5, this Trojan uses an old technique to trick users into compromising their systems. Users receive a spammed email, under the guise of a Microsoft security bulletin, urging the users to download a patch from a certain link present in the email. Of course, the patch is actually the malware itself, which Trend Micro detects as TROJ_AGENT.AZZZ.

WORM_NUWAR.JQ
TrendLabs researchers discovered a Web site that offers what looks like a YouTube-style streaming video service. The infection vector and messaging are actually still the same — that is, users are most likely to access this site via links on specially crafted blogs. What is interesting this time is that on the suspect site, users are required to download the so-called “Storm Codec” in order to view the video. Yes, you read that right: the codec is called Storm Codec. Of course, the “codec” is actually a NUWAR variant, which Trend Micro already detects as WORM_NUWAR.JQ since April 2.

Exploits and Vulnerabilities

BKDR_POISONIV.QI and EXPL_NEVAR.B
A backdoor exploiting a recent vulnerability in Microsoft’s GDI processing was discovered right after Patch Tuesday last April 8. A file named TOP.JPG has been found to do this. It arrives on a system as an executable, now detected as EXPL_NEVAR.B. With just this opening available to malware authors, they can do pretty much anything after exploiting this vulnerability. Its specific routine is to connect to a URL to download a file named WORD.GIF (also detected as BKDR_POISONIV.QI).

Web Incidents

JS_DLOADER.TVP and JS_IFRAME.US
Early this month, several Web sites have been compromised by search engine optimization (SEO) poisoning. Some of the compromised sites were that of the Washington State University and several news sites such as Sun Gazette and Tribune-Chronicle. For the past few months, education Web sites (*.edu) were the ones targeted for such attacks, averaging about three per month. In this recent incident, JS_IFRAME.US is the iFrame component that is inserted into the HTML code of the Web page. When the browser is redirected by this malicious iFrame, it downloads the malicious script file JS_DLOADER.TVP.

That’s it for today. As of this writing, it seems that another Italian Job is underway, with ~100 compromised Web sites. We shall take a look at more of this in next month’s malware roundup.

ShareThis

According to Trend Micro analysts, the attack rolls out like this:

1. The compromised Web sites contain obfuscated JavaScript code (detected as JS_AFIR.A) that redirects the browser to the malicious URL http://{BLOCKED}r.com/cgi-bin/index.cgi?grb&js=1.

The script checks the Internet Explorer version and language so it will only execute on Italian ones.

2. The said URL redirects to another URL: http://{BLOCKED}f.com/cgi-bin/index.cgi?grobin (blocked by Web Reputation Services since April 27).

The two malicious sites were found to be hosted in a single IP traced back to San Diego, California.

3. The said sites download TROJ_SINOWAL.CB (detected since April 26 GMT) from the same domain. TROJ_SINOWAL.CB then drops BKDR_SINOWAL.CF (detected since April 30 GMT), which in turn drops a rootkit component on the affected PC.

This rootkit component modifies certain sectors of the infected hard disk. It also hooks Driver.sys to protect these sectors from read and write operations from AV/security software.

See infection diagram below.

SINOWAL malware variants are known information stealer droppers.

As of this writing, TrendLabs has discovered two forms of this compromise: one is via an injected obfuscated script that redirects to a certain malicious URL, and the other is via a readable iFrame and the same obfuscated script.

It appears that this attack affects sites hosted in Italy by a single hosting provider — the same one that hosted the thousands of sites (mostly travel and leisure) in last year’s large-scale infection. This time, compromised sites include the following:

• The official site of Monica Bellucci (famous Italian model-actress)
• The Mercedes-Benz club of Italy
• The official Web page of Sabrina Salerno (Italian singer)
• A Johnny Depp fan site
• A fan site of Pearl Jam

Here are screenshots of the first three sites mentioned above:

Trend Micro customers are already protected from this threat. Web Threat Protection technology has prevented access to the malicious pages since 27 April 2008. The URLs have already been added to our emergency database and are blocked by WCS (Web Classify Server), making these accessible to customers. Also, the RootkitBuster tool is able to scan the MBR-rootkit component involved in this attack.

Last updated at 5:27 PM GMT, 3 May 2008

ShareThis

Blowing the lid off such transactions, they conduct illicit deals in the open through well-known sites—a tendency we would like to call the popularization of cyber crimes.

Back in February, we had an entry in the Japanese version of this blog about a similar case, in which a popular Korean net auction firm called Auction, Inc. (www.auction.co.kr) confirmed that the information of 10.81 million individuals had indeed been compromised. This is a large-scale theft that, to say the least, got its users worried; some groups even contemplated filing lawsuits.

Then there is the Chinese Internet portal O2SKY, in whose free market page were posted at least two entries seemingly related to the aforementioned Korean incident: the first on March 29, the second on April 11. These say: “Naver, I can sell the IDs of Auction, Inc.” Naver is one of Korea’s famous portals. The entries include the email addresses and telephone numbers of the vendors.

Here’s a screenshot of that entry:

O2SKY is owned by Yan Fan, Inc., which is located in Jilin Province, China. While it is a Chinese company, we can assume that the said entry was posted for Korean users, due to the geographical advantage of nearby Korea.

Taking a closer look into other related entries, we also found some that are encouraging readers to try out techniques to perform site breaches, hackings, compromises. These are a kind of advertisement dangling high salaries for those equipped with such skills. These are open invitations meant to lure the malicious-minded, making no secrets of its intentions.

Here’s a screenshot of the said ad looking for those with “skillz”:

In the two cases detailed above, there are several reasons why we believe these should not be classified as professional or organized crime. One is that the malicious users are openly posting their own easily traceable information in the public forums that almost anyone can anonymously visit.

So if these are perpetrated by neither professionals nor organized crime syndicates, then who is posting such entries? The possible figures would be as follows:

• Script Kiddies – they usually use the openly available cracking tools to steal individual information and sell it to others
• “Customers” of cyber criminals – they try to sell individual information that they initially bought from the professional criminals
• People who read media reports – those pretending to sell the individual information, but do not actually have said information. Another set of readers may be the adventurous type who want to recreate the same offenses based on the information they got from the media.

The existence of the so-called script kiddies should never be ignored. As the said hack and breach techniques are made more widely available, they also become more sophisticated that there will come a time when it will be harder to distinguish between a manually conducted breach and an automated one.

As part of the protection, some companies try to hire so-called ethical hackers who can help enhance their organizational security measures. In Sun Tzu’s The Art of War, the chapter on attack by stratagem shares this bit of wisdom: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” This statement is a basic principle that can be applied even—or perhaps especially—to cyber crime and our ongoing fight against it.

Updated by Mayee Corpin (Technical Communications)

ShareThis

Its members include employees of the Treasury Department, Department of Homeland Security, U.S. Courts, and other similar companies & organizations in similar fields of government service. The TDFCU also has members who live, work, and do business with other similar governmental organizations located in Washington, D.C.

Recently, the TrendLabs Content Security team came across the phishing URL:

http://75.145.112.12/homepage/www.tdfcu.org/index.php

This loads a spoofed Web site that bears a close resemblance to the legitimate TDFCU’s online login page. This bogus site also lacks SSL security, as indicated by the absence of the lock icon in the status bar and the protocol used by the Web site.

One obvious indications that this is a bogus website is that no attempt has been made to disguise the phishing URL in the address bar, so it is quite easy for a user to determine that the website is not legitimate.

The phishing site asks also, of course, unwitting users for their IDs and passwords. After clicking the login button, the user will be redirected to a web page that prompts for information, which includes the Card Holder Name, e-Mail Address, Phone Number, Credit Card Number, Expiration Date, Code Verification Number, and ATM PIN.

Of course, this site is now blocked by Trend Micro’s WCS (Web Classify Server).

Like previous IRS-related phishing cases, this one could be targeting more high-profile personalities since members may belong to important government institutions (as mentioned in the beginning of this post). The TDFCU reminds its members that it does not send out e-mail requesting that the recipient download information onto their computers.

At the legitimate TDFCU website, they advise: “If you receive a request that appears to be from the Treasury Department Federal Credit Union with attachments requesting that you download information to your computer for security, DO NOT DO IT.”

That’s always good advice.

Updated by Mayee Corpin (Technical Communications) & Paul Ferguson (Advanced Threats Research)

ShareThis

This message says that my payment hasn’t been successful and that I need to update my payment information.

As you can see, the link displayed in the mail body is hxxp://adwords.google.com/select/login which is the legitimate one. But the real accessed Web site is hxxp://www.adwords.google.com.fke21.cn/select/Login which has nothing to do with the real one:

A quick robtex research on google.com.fke21.cn shows the following associated IPs:

In this screenshot, you can see that you have to login first using your Google AdWords account, but actually any e-mail address and password will fit since no real checking is done to verify the credentials anyway. The user is also asked to fill out fields such as credit card number and address:

ShareThis

While most of the cyber crime activities that we see being conducted on The Internet are being driven by illicit financial incentives, there also appears to be type of malicious activity being driven by other motivations altogether – “Hacktivism”.

Hacktivism is best explained as a combination of “hacking” and “activism”, traditionally rooted in cultural and/or geopolitical unrest. As Wikipedia defines it, Hacktivism is “…the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political ends. These tools include web site defacements, redirects, denial-of-service attacks, information theft, web site parodies, virtual sit-ins, virtual sabotage, and software development.”

In fact, Hacktivist incidents stretch back over 20 years, but only in the past couple of years have they become more frequent, and more devastatingly malicious.

The most notable incident of regional Hacktivism were the Distributed Denial of Service (DDoS) attacks against government and corporate websites in Estonia in 2007, which actually began a worldwide dialog on the real threat of “Cyber Attacks” and the impact on national infrastructure.

However, the latest victims of Hacktivism appear to be several U.S. websites in Eastern Europe belonging to Radio Free Europe/Radio Liberty. It was reported Monday that “…the attack, which started on April 26, initially targeted the website of RFE/RL’s Belarus Service, but quickly spread to other sites…”

According to a statement on the Radio Free Europe/Radio Liberty website, RFE/RL had been “…hit before by denial-of-service attacks, but this attack was unprecedented in its scale, as RFE/RL websites received up to 50,000 fake hits every second.”

While incidents of Hacktivism are not new, they are beginning to become a lot more frequent — perhaps due to the availability of tools to conduct hacktivist mischief, but also perhaps due to the ubiquitous social networking mechanisms which can now be used as to build consensus when times of cultural or political unrest present the opportunity.

In any event, Hacktivism is becoming a disturbing trend, and one which can have serious ripple effects that interfere with Internet operational continuity — sometimes in ways which we may have not even thought of yet.

“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research

ShareThis

The most recent Internet-related clash between these two involved redirection: one candidate’s Web site leads users to the site of the other. Users viewing Obama’s site were redirected to Clinton’s through an attack called cross-site scripting (XSS). Researchers were successful in reversing the attack, too, exploiting vulnerabilities and revealing these glitches to the site owners.

Internet-related incidents are not new in the coming U.S. presidential elections. TrendLabs, as early as November last year, reported on spamming activities that were seen as campaign materials for Ron Paul. Clinton herself was featured in a spam run that spewed malware into systems, turning them into bots to further spread spam.

This time, however, the cross-site scripting attacks are seen as benign as no malware were involved. With the increasing hype around spamming and other malicious activities, this might be a move driven by caution. Those who do it may have realized that malicious activities, once exposed, will inevitably taint individuals and their appearances to the media, or to everyone in general.

Researchers are still investigating how this type of attack could be used in more malicious criminal activity.

ShareThis