Small and medium-sized businesses often think they’re not at cyber-risk because of their size. But an ongoing malware campaign has been uncovered that has affected thousands of websites since July, and is targeting "mom and pop” businesses.
The attack mechanism is a well-worn track: Online victims are experiencing drive-by downloads as a result of malicious redirections from legitimate websites, and rotating URLs are being used as the doorway to exploit kit landing pages.
Jérôme Segura, senior security researcher at Malwarebytes Labs, explained in an analysis that this particular instance is unique in how “it cleverly uses the same Flash-based redirection script, which also allows us to tie similar website compromises together.” Through this, it became clear that the campaign was a large, coordinated one.
“Security incidents seldom are unrelated,” Segura said. “Thousands of websites have been hacked and are performing malicious redirections, unbeknownst to their owners.”
By using DNS and subdomains to constantly generate new malicious URLs, the campaign has been able to effectively bypass URL blacklists. “There have been many malware reports involving afraid.org and other free DNS services, the bad guys often abuse them,” Segura said. “Such services allow anyone to register subdomains and therefore build a large pool of URLs that can be used and discarded easily.”
The hijacked victim websites are mostly those of SMB companies, with the Department of Statistics at Carnegie Mellon University being an exception. And the hackers are using exploit kits to leverage unpatched systems to perform code injections—indicating a general lack of security efforts on the part of the victimized companies.
In one instance, the web server was running an outdated version of Apache (2.2.15), which has several vulnerabilities.
“We also noticed the site was built on the Drupal content management system (CMS), which recently suffered a serious SQL injection vulnerability already exploited in the wild,” Segura said.
Apart from bad patch management, other factors that lead to websites being hacked are also likely at play, he said, such as poor passwords, insecure file permissions and so on.
Segura said that all of the hacks have a similar signature. The malicious piece of code that the perpetrators insert is a Flash application at the very bottom of the main page’s source code. The name variable, “EITest,” appears to be used statically across all compromised sites.
SMB owners should perform a full security audit, including patches for outdated CMS software, Flash and other plugins, he added.
“The website injections can be easily spotted at the bottom of the HTML source code,” he said. “If you are a website owner and you have discovered this script, please ensure to look for other signs of infections on your server. The code in itself represents the symptoms, but the real culprit often is a backdoor (malicious shell or other php code) that allows the bad guys access and the ability to refresh the malicious URLs.”