Website malware hijacks 500,000 computers

Proofpoint security researcher Wayne Huang has released a report detailing the inner workings of a cybercrime group that reportedly had control of about 500,000 devices.

The entire scheme begins with the cybercrime group buying stolen passwords from others. What passwords did they seek?

Website passwords!

They would upload a backdoor shell, which still allowed the website to function normally, but as the website owner would draw more visitors to the site, the cybercriminals would inject their code into the website’s files and infect the devices (computers, tablets, smartphones…) of those visitors. Website malware was used to infect the visitor’s devices.

The infected devices would be used as usual, but the cybercriminals would be receiving any banking login information and other logins – which was their original plan.

As an additional bonus, the cybercriminals would also rent access to these infected (now controlled by the cybercriminals) devices for other underground criminals to use as they wish.

Since most of us have anti-virus programs on all our devices, how did they get so many devices infected?

This group of hackers (cybercriminals if you prefer), used a service that checks their malicious code against all the anti-virus programs available. If the service found any that detected the malicious code, the hackers would use a variety of techniques to change the malicious code enough to “fly under the radar”.

Their website malware would only attempt to infect the devices of “regular” looking visitors. They had lists of IP addresses for various security companies and sites and their malicious website code would only be displayed for IP addresses not in their list.

Proofpoint-attack-chain_1_.0

This graphic is from the Proofpoint research.

Notice where it all starts on the far left – infected websites.

Still don’t think hackers want your website?

Guess again.

This research shows how important your website, or if you’re a website developer or webmaster, how important all the websites you work on, are to the cybercriminals. They need your websites. They want your websites.

The security researcher Huang was able to find the address of the cybercriminals control panel. Believe it or not, they had left it unprotected – no password required. Once in he was able to grab more information and presented it in his research paper.

Huang contacted some of the website owners when he found out who had the website malware on their sites. Many of them checked their sites with some of the online scanners and the reports came back clean. This was due to the work with the IP address list the hackers had built-in to their malicious website code.

Please understand that cybercriminals are not all going after the Targets, Home Depots and banks. Quite often they need your website to start their money making schemes.

If you have any questions about this or website malware in general, please either contact me at traef@wewatchyourwebsite.com or post a comment.

Thank you for reading.