There is yet another large-scale injection attack going on right now, with nearly 200,000 pages affected so far. The compromised pages are serving visitors with malicious code that sends them off to a remote server for installation of malware.
The attack is the latest in a series of similar campaigns in which criminals use various techniques–often SQL injection–to plant some malicious JavaScript on a large number of Web pages. That code then either automatically redirects users to another site where some malware is hosted or tries to install malware on the visitor’s machine itself.
In this most recent attack which was analyzed by researchers at Armorize, the attackers are compromising sites built on ASP.NET and planting the malicious JavaScript. When a visitor lands on one of the compromised sites, the JavaScript loads an iframe from each of two remote sites, www3.strongdefenseiz.in and www2.safetosecurity.rr.nu, each of which attempts to use a group of browser exploits against the visitor’s browser.
If one of the exploits is successful, the attack sequence continues with the installation of a piece of malware that then attempts to connect to a remote server based in the U.S. The attack is targeting users whose default browser language is English, French, German, Italian, Polish or Breton, Armorize said. The company estimates that there are about 180,000 pages involved in the attack at this point.
The last couple of years have seen quite a few of these kinds of attack, including the LizaMoon attack earlier this year and another that targeted sites running Microsoft IIS last year. The attacks take advantage of poorly configured or secured Web servers and then use those compromised pages as jumping-off points for second-phase attacks against visitors to the sites. Those client-side attacks typically involve drive-by download attempts that exploit vulnerabilities in common browsers or components, such as Flash or QuickTime.