Security experts say Russian hackers are using a sophisticated attack to compromise major E-commerce Web sites, which then infect visitors with hacker tools designed to steal passwords and financial data, and possibly spew spam.
Internet security organizations are warning that dozens of major Internet sites, and potentially thousands of Web sites across the Internet, are currently under attack.
Several Web administrators from major companies said their Windows-based Web servers were compromised despite being up to date on security patches, security analysts reported.
"We've been watching activity since last Sunday, but it's now hit a critical mass," says Marcus Sachs, director of the SANS Internet Storm Center, who is in communications with Homeland Security's National Cyber Security division about the attack.
The attack appears to be one of the most sophisticated Internet attacks to date. The attackers are compromising and infecting E-commerce and corporate Web sites with malicious code. That code is used to infect Web surfers' using certain versions of Internet Explorer.
Security experts say Web surfers visiting these sites are at risk of having their machines infected with Trojan horse applications, used to hijack computers, as well as keystroke loggers, which are capable of stealing personal information such as financial account numbers and passwords.
It's not clear if the latest Internet Explorer patches are able to protect users' systems from becoming infected. Internet security firm Symantec's DeepSight Threat Alert says IE users are being infected through a known, but still unpatched, Internet Explorer flaw.
Security experts have been studying the attack and are unclear about the motive behind it. Some say the attacks can be traced to a Russian Web IP address of known spammers; others say the attack is designed to steal consumers' financial information.
Daniel J. Frasnelli, manager of the technical assistance center for managed security services provider NetSec, says it started monitoring the attack activity early Thursday and immediately notified its security customers.
NetSec wouldn't disclose the names of the E-commerce sites under attack, citing legal fears, but Frasnelli said infected sites include a major auction site, an auto-pricing site, and search-engine sites. "We all know these sites," he says.
Security researchers say it's not yet clear how the attackers have compromised these Web sites. "It'll take some considerable forensic examinations," says Alfred Huger, senior director of engineering for Internet security firm Symantec.
It appears that the attackers are compromising Web servers running Microsoft's Internet Information Services, either because they aren't patched or through a newfound software vulnerability.
Web surfers who visit infected sites are infected via gif images or other Web-site objects that have malicious code attached to them, including keystroke loggers and Trojan horse applications.
"Our big concern is that there is a zero-day vulnerability in IIS," Sachs says.
Microsoft is investigating the attacks. The software vendor issued a statement saying that "at 4:00 pm PT [Thursday], Microsoft began investigating reports that some customers running unprotected versions of IIS 5.0, a component of Windows 2000 Server, were being targeted."
Microsoft and Symantec say these sites are being hit with a malicious application known as Download_Ject.
At 3 a.m. Friday, Microsoft issued a statement saying that "early indications suggest" that unpatched IIS 5.0 Servers are the systems targeted in the attack. Microsoft said the servers have not been updated with the patch included in Microsoft security bulletin April MS04-011. "Customers should ensure they have installed MS04-011 to help secure against the issues corrected by that security update," the company said.
Microsoft is also urging its customers to download and install the IE patch included with Microsoft Security Bulletin MS04-013 and that they "utilize high security settings" in Internet Explorer.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.