UK Domain Registrar Targeted by Mass Injection Attack

Security firm Sucuri (providing web integrity monitoring solutions and operating a website malware scanner) has reported of a new mass injection attack that infected a considerable number of websites harbored at 123-reg.co.uk, one of the biggest domain providers in the UK. Malicious code embedded in these websites directs visitors to scareware.

The company, in the past few days, has found a large number of websites compromised with the same code used to inject a malicious java script on many websites harbored at Go Daddy. All of them include a java script loading malware (the famous fake AV) from: http://meqashopperinfo.com/js.php,http://meqashoppercom.com/js.php, http://meqashopperonline.com/js.php, and http://www4.in-scale-feed.in.

All the websites affected till now include the following code attached to all PHP files: "eval (base64_decode ("aWYoZnVuY3Rpb....".

The attack redirects users of the compromised websites to a scareware page that impersonates an anti-virus scan and displays fake alerts regarding malware infections on their machines.

The objective of this trick is to scam users into downloading and installing a rouge anti-virus program that further attacks users' machine with several fake alerts and warnings to persuade them to buy a license.

Users who purchase the license will not only pay a great amount for a worthless application, but will also compromise their credit card details in the procedure.

Remarkably, the domain meqashopperinfo.com (85.234.191.141, 95.211.2.55) is not blacklisted. Hence, it has the ability to infect a very large number of computers, particularly the ones with outmoded AV signatures and definitions.

Interestingly, in this attack as well, domain is registered by the same people responsible for the past attacks at BlueHost, GoDaddy, etc (Hillary Kneber). Hillary Kneber is a famous fake identity used to register domains for conducting malicious activities later on.

According to the experts, attack doesn't indicate towards a flaw in its infrastructure. This normally occurs because attackers utilize automated tools to scan complete blocks of IP addresses for vulnerable websites and then infect them all simultaneously.

Further, security experts have cautioned that cybercriminals will continue to become more complicated in terms of their compromising techniques. Thus, web users and businesses should make themselves aware of the safe security practices to protect themselves against these attacks.

Related article: US Passes Baton to Asia in Spam Relay

» SPAMfighter News - 10/11/2010