Security researchers at Websense say the tactics are reminiscent of the notorious RBN group
Researchers at Websense are reporting a mass compromise that may have affected as many as 40,000 Websites.
Although Websense would not name any of the compromised sites, researchers said the victims did not include any “big-name government or business sites.” The compromised sites are redirecting users to typo-squatted misspellings of legitimate Google Analytics domains. From there, users are redirected to the malicious Beladen.net site.
“The Google Analytics site serves as a statistics keeper, and the Beladen site is used to host the exploits,” said Stephan Chenette, manager of security research for Websense Security Labs. “It analyses the end-user PC and attempts to exploit several different unpatched vulnerabilities … If none of the unpatched vulnerabilities exist, it delivers a popup claiming that the PC is infected in an attempt to trick the user into installing rogue anti-virus software.”
According to Websense, the Beladen site is stacked with multiple types of malware—as many as 15 to 20 different exploits targeting various vulnerabilities.
Just how the legitimate Websites are being compromised is unclear, though Websense researchers speculate that it is a SQL injection issue.
“We haven’t pieced together the common software or common application that all these Websites are running that allows this SQL injection to happen,” Chenette said. “They’re either running some kind of business application that they have in common … or these [FTP] accounts were compromised and that’s how attackers are able to inject code into these Websites.”
“RBN (Russian Business Network) actually used this exact same domain,” he continued. “So the patterns that they are using in terms of the domain name and the exploits that they are using are very indicative that the group responsible behind this might be either connected with RBN, might be RBN themselves or might be a copycat group that is using some of the resources that RBN used.”