Contributor: Roberto Sponchioni
It didn’t take long for 2016 to present a global infection. After only a few days into the new year, Symantec telemetry registered significant spikes in detections for the Intrusion Prevention System (IPS) signature Web Attack: Mass Injection Website 19. This signature is used to detect when a hidden script injected in a compromised website is used to redirect users to a website hosting malicious code. It is triggered when a user browses a compromised website.
Figure 1. Detections for Web Attack: Mass Injection Website 19
Attempts to access the malicious websites were mostly seen in the United States (47 percent), followed by India (12 percent), then the United Kingdom, Italy, and Japan (6 percent each).
Figure 2. Percentage of detections for Web Attack: Mass Injection Website 19 by country
Symantec identified thousands of websites that had been injected with script code to redirect to additional scripting code. Of the compromised websites, 75 percent were located in the US. The websites injected with script code can be of any type and target a variety of organizations, including the following:
- Business websites
- .edu websites
- Government websites
Figure 3. Location of affected websites
The compromised websites we investigated all used a common content management system. More than likely the attackers are using automated scripts to scan these websites so they can automatically exploit bugs and possibly inject malicious HTML code into the vulnerable sites.
The malicious code injection can be seen in the HTML source code of these infected websites. Figure 4 shows the injected code before the </head> tag.
Figure 4. Malicious code injection
Once a compromised page has loaded in the user’s browser, the malicious script waits 10 seconds and then runs remote JavaScript code, which in turn runs additional scripts. There are typically two to five additional scripts included as a chain to hide the infection from the victim.
These scripts may be able to collect the following information:
- Page title
- URL page address displayed by the browser
- Referrer—so the attackers know how the user ended up on the current page and to possibly collect information about search term queries
- Shockwave Flash version
- User language
- Monitor resolution
- Host IP address
Symantec did not identify any malware associated with this injection attack. Based on our tests the script chain does not lead to any malicious downloads. It is likely that the attacks are a reconnaissance activity to learn more about users and utilize that information in another attack. The possibilities for future attacks include the delivery of advertisements, SEO poisoning attacks, or criminals modifying the code to deliver malware and compromise unprotected users.
Mitigation
Symantec recommends that web administrators check to ensure that the malicious code found in Figure 4 is not present on their website. Changing the admin password is not sufficient and the website must be completely sanitized. To accomplish this, we recommend running a full antivirus scan, checking the files on the webserver to remove any back doors, and then changing the administrator password.
Protection
Norton Security, Symantec Endpoint Protection, and other Symantec security products protect users against these redirections with the following detection:
Intrusion Prevention System