HackDig : Dig high-quality web security articles for hacker

Malicious Code Lurks in “Account Suspended” Pages

2015-02-27 06:15

Cybercriminals have found a way to distribute their malicious payloads and hide their traces by planting rogue code into the web page displayed when accounts are suspended.

Security researchers discovered that crooks turned to this trick to lead the visitors to falsely believe that the website they reached was no longer active, making it more difficult to determine how their computer was compromised.

Website appears dormant but it is highly active

Jerome Segura of Malwarebytes found the mischievous tactic on websites managed through cPanel, one of the most used web hosting administration panels.

The hint that the “Account Suspended” page actually transmitted more than the message of inactivity consisted in the fact that it was not available at the root of the domain, as it normally should.

Segura found evidence that a legitimate website had been compromised and a fake “Account Suspended” page included a malicious iframe leading to the landing page of Fiesta exploit kit.

Exploit kit check for vulnerable Flash, Silverlight, PDF and Java

Both the URL pointing to the attack tool and the size parameters of the iframe are changed on a constant basis as a tactic to avoid basic blacklisting and detection from various security tools that rely on signatures to catch the nasty elements.

When a user accesses the malicious page, a verification is made, to determine the web browser and if it includes vulnerable plug-in versions. The analysis showed that obfuscation was used to hinder identification of the malicious code.

Segura noted on Thursday that the landing page for Fiesta calls multiple exploits, for Flash Player (CVE-2015-0311), Silverlight (CVE-2013-0074), PDF (CVE-2010-0188) and Java (CVE-2013-2465); only one of them is to be leveraged against the outdated computer.

“This case is a reminder not to trust a book by its cover and always exercise caution. Attackers were clever to hide the malicious redirect code where they did because they might trick someone into brushing off the site as ‘already terminated by the hosting provider’, when in fact it’s not,” the researcher concludes.

The general recommendation is to apply all the latest software patches issued by developers, all the more in the case of browser plug-ins.


Source: nb192YjFULulWLztmc1xULlR2bD1yc19WajlGbh10LzdXZu9SbvNmLhlGZlBHdm92cuM3dl52LvoDc0RHa/ca.ssr.dps

Read:2062 | Comments:0 | Tags:Virus alerts

“Malicious Code Lurks in “Account Suspended” Pages”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud