A recently identified malware campaign uses thousands of legitimate but compromised sites to infect users with viruses.
These hacked websites have become unwitting participants in a rather sophisticated scheme that employs social engineering with fake but convincing update notifications.
The campaign, which according to researchers began last December, works by infecting websites running a variety of content management systems, such as WordPress, Joomla, and Squarespace. The hack begins by causing the sites to display authentic-appearing messages to a narrowly targeted number of visitors. The update then instructs them to install updates for Firefox, Chrome, or Flash, depending on the browser they're using. When the user authorizes the “update” it triggers the download of a contained malicious file, consisting of backdoor or trojan software, specifically designed to identify financial accounts and steel banking details contained on a system.
There are a few things that speak to the ingenuity of the hackers behind this campaign. First, the attackers digitally fingerprint potential targets. This ensures that any fake update notification isn’t sent to a given IP address more than once, allowing hackers to have multiple chances of infecting a given computer without arousing suspicion. Second, the update templates are hosted on genuine websites that had previously been hacked, which gives the notifications themselves an air of legitimacy.
At this point, it is impossible to give a definitive estimate of how many accounts have been compromised as a result of this campaign. Considering the large number of commonly visited sites still identified as infected, however, the amount of victims is likely high.
So where is this campaign emanating from and who’s responsible? Forensic indicators might offer some clues.
Upon analysis, researchers identified the malware used in the hacks as the Chthonic banking virus, a variant of the infamous Zeus trojan that began to wreak havoc on systems back in 2009. The FBI has traced Zeus virus attacks to criminal groups made up of Eastern European hackers with substantial networks in the United States. These U.S.-based collaborators had primarily run the “backend” of the campaign, setting up fake financial accounts with which to launder money stolen from victims. Tracking the fraudsters has led the FBI to numerous arrests in the past of suspects connected to other bank fraud schemes. With any luck, the intelligence gleaned from that period by federal law enforcement will help identify the source of this latest campaign.
Now that the cover of this coordinated effort has been blown, site operators can begin purging fake updates emanating from their websites. It won’t go away overnight, but at least it will be a move in the right direction.
For users, this news should serve as a strong reminder to be wary of update reminders and other notifications claiming to come from sites and online service providers. As this latest campaign has shown, hackers have perfected this method of fraud to a dangerous and efficient science.