Hackers looking to steal passwords used in popular online
games have infected more than 10,000 Web pages in recent days.
The Web attack, which appears to be a coordinated effort run
out of servers in China, was first noticed by McAfee researchers on Wednesday
morning. Within hours, the security company had tracked more than 10,000 Web
pages infected on hundreds of Web sites.
McAfee isn't sure how so many sites have been hacked, but
"given how quickly some of these attacks have come on, it does seem like
some automation has gone on," said Craig Schmugar, a researcher with
McAfee's Avert Labs. In the past, attackers have used search engines to scour
the Internet for vulnerable Web sites and then written automated tools to flood
them with attacks, which ultimately let criminals use legitimate sites to serve
up their malicious code.
The infected Web sites look no different than before, but
the attackers have added a small bit of JavaScript code that redirects
visitors' browsers to an invisible attack launched from the China-based
servers. This same technique was used a year ago, when attackers infected the
Web sites of the Miami Dolphins and Dolphins Stadium just prior, Super Bowl XLI football game.
The attack code takes advantage of bugs that have already
been patched, so users whose software is up-to-date are not at risk. However,
McAfee warns that some of the exploits are for obscure programs such as ActiveX
controls for online games, which users may not think to patch.
If the code is successful, it then installs a
password-stealing program on the victim's computer that looks for passwords for
a number of online games, including the Lord of the Rings Online.
These online game passwords are a popular hacker target, in
part because many online gaming resources can be stolen and then sold for cash.
Other Attacks
Widespread Web attacks such as this are becoming more common
too.
In January, security vendor Finjan reported a widespread
hacking effort that infected 10,000 Web sites with malicious code that attacked
visitors and then installed data-collecting software on their machines.
This type of attack is attractive to criminals, in part
because it can be hard to thwart. "It's more subtle than spamming a
malicious executable file to billions of e-mail addresses," Schmugar said.
"You allow the people to go to the sites that they normally go to and pull
off a low-scale attack that flies under the radar."