MSNBC, other high profile sites compromised in massive hack attack

MSNBC Sports Web site became the latest victim in a string of hacker attacks that has compromised more than 26,000 other sites, according to a new alert by a Web security firm.

San Diego, Calif.-based Websense Inc. alerted MSNBC and the public about the security breach Tuesday.

The incident shows a growing trend of hackers injecting code into legitimate Web sites, as well as targeting major sporting events, says the Web security company.

Websense has been tracking the exploit since February and discovered the MSNBC intrusion in one of their standard Web scans, says Stephan Chenette, manager of Websense Security Labs. Other major sites affected include TV.com, News.com and History.com.

It is one group of unknown hackers behind the attacks, using the Web pages to redirect traffic to their malicious JavaScript code hosted by service providers known for hosting malware – Intercage and the Russian Business Network, Chenette says.

“I’m labeling this attack as a search engine input optimization attack.”

He says use of search engine optimization techniques by these Web sites makes them vulnerable to and eventually victims of an input validation attack.

Hackers are able to query Web sites with a search string containing the malicious code. When the site receives that query, the code is embedded in a hidden area not seen by users, but hackers can make active.

MSNBC responded to the security breach late on Tuesday, according to a statement issued by the company.
“Within minutes of learning of the issue, msnbc.com quickly and successfully secured the singular page that was affected,” it says.

“The issue has been resolved and consumers have been logging onto NBCSports.com without experiencing any problems.”

For users accessing these popular Web sites, the threat is not to be taken lightly, says James Quin, senior research analyst at London, Ont.-based Info-Tech Research Group.

Gone are the old days when hackers defaced Web sites merely for fun.

“It was effectively the electronic version of vandalism,” Quin says. Now it’s “a much more vicious and more serious threat.”

Unlike e-mails or instant messages that contain malware, contaminated Web sites don’t even require that a user take an action such as clicking on a link. The script is run automatically.

Hackers have designed the method to by-pass both security measures and the malware education of most Web users, Quin says. “It will make Web surfing something the average user has to be extremely careful about.”

At time of press, a Google search for the malicious code found 26,400 sites infected by the malicious code.

It is the result of hackers exploiting a shared vulnerability amongst the affected Web sites, says Alfred Huger, vice president of engineering for Symantec Corp.’s security response group, the Cupertino, Calif.-based software security vendor.

“Once they have a list of sites they think are vulnerable, they break in to all of them,” he says.

The piece of JavaScript affecting MSNBC and other sites directs browsers to www.2117966.net and the infected computers – known as zombies – send information to the IP address 61.188.39.175.

“The malware is gathering information content from the user’s computer and sending back information,” Chenette says. But “at any point in time, they can change what the malicious content is actually doing.”

That means affected computers are at the mercy of hackers looking to collect private information and likely use it for profit. But companies do have some avenues of protection against the loss of valuable data.

Companies should seriously consider an Internet usage policy for employees, experts agree. The IT department should control what sites the employees can access and what plug-ins their browsers run.

“The World Wide Web is the wild, wild, west,” Chenette says. “At any point in time a large profile Web site that is known as good one day, could suddenly have lots of malicious content the next day.”

IT should also keep a close eye on plug in vulnerabilities, adds Symantec’s Huger. The applications that supposedly enhance your Web browser are much more at risk than the core browser code.

“It’s a bit like using a steel door on a glass hut,” Huger says.

Filtering programs set-up by the IT department could stop users from visiting potentially harmful sites.

“If you restrict Web sites your users can see to be only business-valid sites, you control the risk,” Info-Tech’s Quin says.

Particularly, blocking sports-related Web sites would mean a company wouldn’t have to worry about the growing threat posed by hackers attacking those sites. MSNBC Sports saw an attack timed for the coverage of the popular NCAA Men’s Basketball tournament.

It’s not the first time hackers have leveraged the popularity of a major sporting event to prey on unsuspecting Web surfing masses. The Dolphin Stadium Web site in Miami was compromised just before hosting the Superbowl there, says a Websense report.

It’s an example of event-driven malware designed to grab more users, says Chenette. “We’re expecting to see a large number of malware attacks during the Olympics.”

As for companies wanting to prevent their own Web sites from becoming a conduit to pass on malware, companies must have a solid system to validate any distrusted input requests, he adds.

It also helps to have certified coders that are trained in the programming language that is Web-facing, adds Huger.

“You shouldn’t have software developers that are cutting code facing the public unless they’ve taken some sort of training in the language they’re writing,” he says.

It’s also important to keep on top of the latest upgrades for your Web server, Quin says. The security holes addressed by patches are the very ones used by hackers to inject malicious code into Web sites.

Through auditing of a Web site’s traffic might also reveal harmful traffic patterns.

Hiring an expert to do this annually is expensive but worthwhile, Huger says. Or automatic audits can be done every day for a more affordable fee.

 

Share on LinkedIn Share with Google+
More Articles