April 8th, 2009
Paul McCartney's official site serving malware
All you (don’t) need is malware on Paul McCartney’s official web site.
According to Mary Landesman at ScanSafe, the official web site of Paul McCartney (paulmccartney.com) has been compromised, and is serving live exploits to its visitors. Landesman points out that the compromise might have occurred through stolen FTP accounting data, taking into consideration the fact that the campaign is also present at several different flat HTML only web sites.
The process of automatically injecting malicious code at hundreds of sites through compromised FTP accounts is nothing new, and continues being in a development phase with the most recent kit released earlier this year. What has changed through, is the typical proposition for bulk-orders of data mined FTP credentials from botnets which the sellers are now offering to bargain hunters of such tools.
- Go through related incidents - Paris Hilton’s official web site serving malware; eBay solutions provider Auctiva.com infected with malware; USAID.gov compromised, malware and exploits served; Adobe’s Serious Magic site SQL Injected by Asprox botnet; 200,000 sites spreading web malware, China’s hosting the most; Sony PlayStation’s site SQL injected, redirecting to rogue security software; Redmond Magazine Successfully SQL Injected by Chinese Hacktivists
Here’s a brief analysis of Paul McCartney’s site compromise. The attack is taking advantage of a newly distributed web malware exploitation kit which is already gaining popularity across the cybercrime ecosystem due to the several new features, among which is the use of RSA encryption of the javascript. Upon several redirections (84.244 .138.55 /google-analytics/ga.js -> 84.244 .138.55 /ts/in.cgi?sliframe -> 84.244 .138.55 /ase/?t=17), the visitor is exposed to the typical set of already patched client-side vulnerabilities which vary based on the administrator’s preferences.
The bottom line - would efficient exploitation of stolen FTP account data obtained through data mining an infected set of hosts re-emerge as a tactic of choice, or would massive SQL injection attacks through search engines reconnaissance targeting everyone, everywhere continue being the method of choice? In an increasingly multitasking cybercrime ecosystem, a combination of tactics is usually the method of choice.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
