Monday, November 19, 2007

Big hack today

Hi folks,

It seems that company.monster.com suffered some sort of iframe injection attack today. Our SearchShield prevalence data has detected multiple brands affected, including Eddie Bauer, GMAC Mortgage, BestBuy, Toyota Financial, Tricounties Bank as hacked and iframing out to an exploit server.

It was probably just today, as it wasn't showing up yesterday, and was not in any search engine cache that we could see.

Monster has already taken the pages offline. Yay, Monster.

We detect it as the Neosploit exploit package. It is fairly well encrypted, so it's not yet clear exactly what exploits are in use. We'll post more information as we figure that out.

It is also not clear how many pages were affected, but it is likely that the attack was the same for all companies on the website, which _might_ turn out to be a pretty good set of Fortune 500.

A couple of individual researchers noticed it at about the same time we did, but I'm not sure if they can be mentioned / want to be mentioned, so I'll reserve that for the moment.

Cheers

Roger

Labels:

5 Comments:

At 9:51 AM, Anonymous Anonymous said...

Can you release the "drop" site IP address?

 
At 10:22 AM, Blogger Roger Thompson said...

58.65.238.116 ... careful

 
At 6:34 AM, Anonymous HB said...

How do you think these guys are getting the iframes onto sites like Monster? Is it thru poisoned flash ads or rooting the servers themselves?

 
At 6:57 AM, Blogger Roger Thompson said...

It _can_ be any of your suggestions... in the case of Monster, i think they found a way to poison some SQL input screen, which in turn, was used to generate the html. Only Monster knows for sure though, and they're not saying.

 
At 1:55 AM, Anonymous PG99 said...

We identified the same problem on a major UK retail site, pointed this out to them and still 3 months later the web design agency have still not fixed it - we've even given them the exact fixes!

Maybe only a few more days now :>)

 

Post a Comment

<< Home