July 21st, 2008
Kaspersky's Malaysian site hacked by Turkish hacker
According to Zone-h.org, Kaspersky’s Malaysian site has been defaced by a Turkish hacker during the weekend, through a
SQL injection, leaving the following message - “hacked by m0sted And Amen Kaspersky Shop Hax0red No War Turkish Hacker Thanx to Terrorist Crew all team members“.
“The official Malaysian Kaspersky Antivirus’s website has been hacked yesterday by a Turkish cracker going by the handle of “m0sted”. Along with it, the same cracker hacked also the official Kaspersky S.E.S. online shop and its several other subdomains. The attacker reported “patriotism” as the reason behind the attack and “SQL Injection” as the technical way the intrusion was performed.
Both websites has been home page defaced as well as several other secondary pages. The incident, though appearing a simple website defacement, might carry along big risks for end-users because from both the websites, evaluation copies of the Kaspersky Antivirus are distributed to the public. In theory, the attacker could have uploaded trojanized versions of the antivirus, infecting in this way the unaware users attempting a download from a trusted Kaspersky’s file repository (remember the trojan in the Debian file repository?).”
Are users at risk due to the compromise? Not in this case, however, the attack is a wake up call which if not taken seriously enough could result in an ironic situation where a security vendor’s site is infecting its visitors with malware. It has happened before, and it will definitely happen again.
This is not an isolated incident. According to Zone-h’s archive, since 2000 there have been 36 web site defacements of international Kaspersky sites, with Kaspersky’s French site getting hacked and re-hacked on an yearly basis. And while in none of the incidents there was any malicious software served, or a live exploit URL that could have been embedded into the legitimate site, there’s an ongoing trend related to web site defacements in regard to their interest in monetizing the access they have to the vulnerable sites, by injecting malware URLs, hosting phishing pages, and also, locally hosting blackhat SEO junk pages where they would eventually earn money through affiliate based networks.
In the time of blogging there’s no indication of a malware attack at the site, and kaspersky.com.my remains offline, presumably in an attempt to audit the site for web application vulnerabilities before putting it back online.
Related posts :
- 300 Lithuanian sites hacked by Russian hackers
- China detains web site defacer spreading earthquake rumors
- Phoenix Mars Lander’s mission site hacked
- Pro-Serbian hacktivists attacking Albanian web sites
- Comcast’s DNS records hijacked, redirect to hacked page
- Photobucket’s DNS records hijacked by Turkish hacking group
- ICANN and IANA’s domains hijacked by Turkish hacking group
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
