Government, health care Web sites attacked
New wave of attacks compromise government and health care Web sites
A scan of Web servers by Internet security company Finjan Inc.
has found more than 1,000 legitimate Web sites that had been
compromised by a new wave of attacks in recent weeks.
High percentages of the compromised sites, which serve up
malicious code to unsuspecting visitors, belonged to government at
13 percent, and to health care organizations at 12 percent, said
Finjan Chief Technology Officer Yuval Ben-Itzhak.
'We started to see it at the end of last month,'
Ben-Itzhak said. 'But most of [the compromised] domains we
found in the last two weeks.' The compromises were found
using Finjan's SecureBrowsing security tool.
The attack toolkit being used is named Asprox, and has been in
use for several years, having gained popularity with cybercriminals
during 2007.
'This is not groundbreaking,' Ben-Itzhak said. The
tool uses a well-established SQL-injection attack to compromise the
sites. But the sites being targeted appear to indicate a shift in
the underground economy that has grown up harvesting sensitive
information from online activities.
'For government, we still don't have the
reason,' Ben-Itzhak said. 'We believe the criminals are
targeting health care [data] because they can sell it for a higher
price.'
The black market price for stolen credit card information has
declined sharply in the last year, from around $100 per account to
$15 or $20 each, he said. 'It's supply and
demand.' Credit-card information can be easy to steal and has
been targeted by many criminals. 'It explains why
they're looking for new types of information that they can
sell for a higher [profit] margin.'
The Asprox toolkit searches Google for Web pages with an
'.asp' file extension. These pages use the Microsoft
Active Server Pages server-side scripting environment for creating
and serving dynamic Web pages. It was widely used from around 1998
to 2003, when it was largely replaced with Web development tools
that provide more security. But there still are many Web sites
using it.
'It is not a vulnerability in the Microsoft tool,'
Ben-Itzhak said. 'It is because of the way the pages were
designed and not because of the technology.'
To protect themselves from the attack, he recommended that
enterprises use application firewalls in front of their servers to
block the attacks, and that consumes use real-time content
inspection tools to protect their browsers. 'They cannot
assume that legitimate Web sites will remain safe all the
time,' he added.
Finjan offers a free browser plug-in for content inspection, but
Ben-Itzhak said that user uptake for the technology still is slow,
only about 25 percent compared with more than 90 percent for
traditional signature-based antivirus tools.
About the Author
William Jackson is a senior writer for GCN.