The attack, which lasted two and a half days before it was shut down, was described as a sophisticated, multi-pronged operation.
An Internet-based attack aimed at about 65 financial targets in the United States, Europe and Australia was shut down after a two-and-a-half day run.
Hackers launched the "pharming" attack on Monday, Feb. 19 and authorities shut it down on Wednesday, according to Dan Hubbard, vice president of security research at Websense, which was tracking the attack. He described it as a sophisticated and multi-pronged attack that involved multiple IP addresses, server sites in four different countries and a deluge of fraudulent spam.
The term pharming is used to describe a hacker redirecting a user from a legitimate site to a fraudulent and malicious site where their machines are infected with malware.
Hubbard says he's not sure how many computers were infected during the two-and-a-half-day attack, but he says more than 1,000 machines were compromised in just one day.
"It was a professional team. It was very well planned," says Hubbard. "It was quite successful and very resilient. It wasn't just one IP address hosted in one country where you could shut it down and take care of it. This one has multiple IP addresses in multiple countries. It makes it more difficult to stop what is happening."
On Monday, the first e-mail lure was spammed out. It contained the bogus news that Australian Prime Minister John Howard was struggling for his life after suffering a heart attack. The e-mails are set up to appear to be a link to a news story from The Australian, a daily newspaper. The second e-mail lure offered up news of a cricket match in Australia. Hubbard notes he was surprised how many Americans were conned into clicking on a link for more information about Australian cricket.
The e-mail lures directed users to connect to a Web site for more information. When they clicked on the link, they were redirected to one of five different malicious Web sites, where their machines were infected with malware.
When anyone with a corrupted machine connected to a Web site for one of 65 banks or financial institutions, any information they entered there would be sent to both the real destination, as well as back to the hackers. The stolen information, along with more malicious code, was stored on a master server.
The fraudulent and malicious Web sites that users were directed to were hosted on servers based in the U.K., Germany, Estonia and the U.S., according to Hubbard.
He adds that the master server has been shut down and the exploit servers were either shut down or have been moved.
The pharming attack targeted companies such as Barclays Bank, the Bank of Scotland, PayPal, eBay, Discover Card and American Express.
Hubbard notes that most of the victims were Australians and Americans. According to Websense stats, 35% of the infections occurred in Australia; 32% happened in the U.S.; 11.5% took place in the U.K. and .2% transpired in Russia.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.