An Internet-based attack aimed at about 65 financial targets in the United States, Europe and Australia was shut down after a two-and-a-half day run.
Hackers launched the "pharming" attack on Monday, Feb. 19 and authorities shut it down on Wednesday, according to Dan Hubbard, vice president of security research at Websense, which was tracking the attack. He described it as a sophisticated and multi-pronged attack that involved multiple IP addresses, server sites in four different countries and a deluge of fraudulent spam.
The term pharming is used to describe a hacker redirecting a user from a legitimate site to a fraudulent and malicious site where their machines are infected with malware.
Hubbard says he's not sure how many computers were infected during the two-and-a-half-day attack, but he says more than 1,000 machines were compromised in just one day.
"It was a professional team. It was very well planned," says Hubbard. "It was quite successful and very resilient. It wasn't just one IP address hosted in one country where you could shut it down and take care of it. This one has multiple IP addresses in multiple countries. It makes it more difficult to stop what is happening."
On Monday, the first e-mail lure was spammed out. It contained the bogus news that Australian Prime Minister John Howard was struggling for his life after suffering a heart attack. The e-mails are set up to appear to be a link to a news story from The Australian, a daily newspaper. The second e-mail lure offered up news of a cricket match in Australia. Hubbard notes he was surprised how many Americans were conned into clicking on a link for more information about Australian cricket.
The e-mail lures directed users to connect to a Web site for more information. When they clicked on the link, they were redirected to one of five different malicious Web sites, where their machines were infected with malware.
When anyone with a corrupted machine connected to a Web site for one of 65 banks or financial institutions, any information they entered there would be sent to both the real destination, as well as back to the hackers. The stolen information, along with more malicious code, was stored on a master server.
The fraudulent and malicious Web sites that users were directed to were hosted on servers based in the U.K., Germany, Estonia and the U.S., according to Hubbard.
He adds that the master server has been shut down and the exploit servers were either shut down or have been moved.
The pharming attack targeted companies such as Barclays Bank, the Bank of Scotland, PayPal, eBay, Discover Card and American Express.
Hubbard notes that most of the victims were Australians and Americans. According to Websense stats, 35% of the infections occurred in Australia; 32% happened in the U.S.; 11.5% took place in the U.K. and .2% transpired in Russia.