« Joomla CMS exploits | Home | Continuing MPack hack attacks »
‘Professional’ hackers at large
By Smitch - CTO | September 20, 2007
A bunch of hackers using a commercial hacking program (MPack) are on the loose, and causing some considerable concerns amongst web-site owners and hosting companies.
They are accessing multiple web sites to add a single line of code directly to the main index pages, which closes down the browser window and brings up a pop-up window advising the user that they have virus / spyware / porno files on their computer, and they need to download and run a cleaner (typically DiskCleaner or WinCleaner).
If the unsuspecting user takes the offer of the download they actually get a keystroke logger installed, and away goes such info as bank details, passwords, etc, etc. It also installs a cookie which returns them back to the hacker’s site at random intervals to get infested again.
The MPack software is clever - It is being sold on Russian forums at $1000 a go with a year’s support, and is being updated almost monthly to exploit new vunerabilities in various browsers and other software.
A BBC News report a couple of months ago describes MPack’s history in a little more detail: http://news.bbc.co.uk/1/hi/technology/6221306.stm
The hackers are also testing the passwords they gather to see if the same password is good for root, control panel or mail access.
Suggestions:
1) Check your web site(s) for a new piece of code, particularly directly under the <body> tag, and if it’s there remove it immediately.
2) Make sure that you use different intricate passwords unique to each part of your site(s) - Different ones for FTP, root, control panels, mail, etc, etc.
This isn’t a new threat, but it is suddenly picking up speed - The added code is even being picked up by search engine bots.
Related link: http://www.sophos.com/security/blog/2007/09/580.html
Tagged as:hacker malicious code security sophosTopics: Security |
Comments
You must be logged in to post a comment.