SQL Injection Attacks Aimed at Stealing Gaming Credentials, Experts Say

The mass SQL injection attack that has been ongoing for a week or so now is designed mainly to steal credentials for online games and is quite well planned and organized, experts say.

The mass SQL injection attack that has been ongoing for a week or so now is designed mainly to steal credentials for online games and is quite well planned and organized, experts say.

The attack, which has been using two specific domains as part of a widespread SQL injection campaign, is targeting sites running ASP.Net applications and using the SQL injection technique to compromise the applications and plant malicious code on the back end servers, according to an analysis by researchers at Armorize, a Web application security company.

The vulnerability being used in the attack is a flaw in Adobe Flash, which was publicized earlier this month and patched late last week by Adobe. Here’s how the attack works:

Server-side:
1. Attack vectors used in mass SQL injections were
targeted and specific–pre-scanning took place beforehand, vectors
waiting to be used upon availability of 0day.
2. Attacks targeted
ASP.NET Web applications vulnerable to SQL injection and using SQL
server as database. We note most of the fault is attributed to the
vulnerable Web application itself, not IIS or ASP.NET or SQL server.

Client-side:
1.
0day discovered in Asia, by known group, possibly via fuzzing.
2.
0day initially used (and captured) in emails as part of targeted
attacks, often against Asian personnels.
3. 0day leveraged in mass
SQL injection attempts shortly after POC discovered in the wild.
4.
Exploit code involves mechanisms to defeat behavior-based analysis.
5.
Exploit generated by CuteQQ / Anhey.

The attack includes some code specifically designed to evade Web application firewalls, and it is being thrown against sites running several different versions of Microsoft’s IIS Web server software. The Armorize researchers say that the attacks look to be the work of a group using the name “dnf666,” which launched a similar mass SQL injection campaign in March.

“DNF stands for “Dungeon Fighter,” a popular online game in the Chinese
community. It’s offered in Taiwan here
and in China on top of the QQ platform here. dnf666.net was a platform selling
(illegal) plugins to these online games. Adding these together, it’s no
surprise that at the end of this article, our conclusion is the purpose
of both robint.us and 2677.in attacks were aimed at stealing passwords
to online games,” they wrote in their analysis.

Suggested articles

Discussion

  • Anonymous on

    Your link to armorize's blog set off my avg link scanner and disabled access to the site.  Perhaps it is a false positive?

  • Caleb Sima on

    It is. AVG uses signatures. Since the post contains descriptive portions of the malware AVG will flag it. False positive.

  • Anonymous on

    Off topic: Definitely not a AVG false positive, there _IS_ what is flaged, more AVs report so. You should better use the malware/malicious javascript snipets as images, not inline-javascript code.

  • Wayne Huang on

    No, nothing is inlined, all javascript code is rendered not executed. The malicious domain is dead anyways.

    The code is for others to copy and use as signatures, that's why we're not using images

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.