News Stay informed about the latest enterprise technology news and product updates.

Stolen FTP credentials likely in massive website attacks

The latest website attack techniques use stolen user credentials instead of website vulnerabilities to crack websites and spread malware.

Stolen FTP credentials are suspected as the root cause of a massive attack compromising over 40,000 websites.

To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Attackers have targeted legitimate websites in the latest wave, and so far researchers at security vendor Websense Inc. say it isn't likely that SQL injection, cross-site scripting or other website vulnerabilities are to blame. Instead, the attackers are easily injecting malicious JavaScript code into sites by logging in with stolen usernames and passwords.

"Across the board, none of the sites that we've seen compromised are running some common piece of vulnerable software," said Stephen Chenette, manager of security research at Websense.

It's the second time in less than a month that attackers used stolen FTP credentials to successfully pull off a large scale attack. Last month, a malware exploit, called Gumblar, spread quickly onto websites through stolen FTP credentials in addition to vulnerable Web applications and poor configuration settings. The attacks serve as a reminder to educate users about using strong password management. 

Website attacks:

IT pros can detect, prevent website vulnerabilities, thwart attacks Until vendors release a cohesive set of tools to protect against website attacks, IT security pros have a number of ways to detect vulnerabilities.

US-CERT warns of Gumblar, Martuz drive-by exploits Websites poisoned with the Gumblar and Martuz drive-by download exploits could pass on malware to users who don't have their patches up to date.

Organizations struggle with data leakage prevention, rights management: Employee use of Web-based services and poor judgment can easily defeat the technologies. But better use of the audit, discovery and reporting features can make them more effective.

Chenette said the latest round of attacks use a typo-squatted Google analytics website to track potential victims as they are bounced to websites under the Beladen domain. Those websites silently attempt to exploit browser and Web application vulnerabilities to install a Trojan downloader. If successful, the downloader then attempts to install more malware on the victim's machine. The so-called Beladen attacks are ongoing and haven't let up, Chenette said.

"They're holding at a pretty static number," he said. "It's been fluctuating as most mass injection attacks do, and we've reached out to notify website owners that they've been compromised."

Using rogue antivirus software and keylogger Trojans installed on user machines, the attackers silently collected FTP passwords. The attackers are suspected of being members of the Russian Business Network, a cybercriminal organization that has owned and used the same typo-squatted Google analytics engine in previous attacks, Chenette said.

Security experts say standard FTP passwords can be easily cracked with automated tools. Some security vendors have released software adding strong authentication and encryption when files are transferred to avoid man-in-the-middle attacks. But attackers are targeting small businesses and website owners with little technical knowledge, money or the need to secure a website containing no sensitive data. 

Although the websites compromised by Beladen are legitimate, they don't get a lot of traffic. The websites range from small businesses to small government and entertainment websites, Chenette said. When contacted by Websense, some website owners failed to recall owning the compromised site, he said.

"The site owners are a lot less responsive in looking at their own source code, so the time to take down these websites and fix them is generally longer than had this attack been targeted towards larger websites," he said.

In addition, Websense researchers are tracking two other growing attacks that use similar methods, including stolen FTP credentials.

Websense, Symantec Corp. and other security vendors can detect malicious code on websites. The vendors have also worked to shut down the domains suspected of hosting malicious webpages. But the cybercriminals behind the attacks easily switch to other rogue domains. Those behind Gumblar recently switched to Martuz, a group of malicious domains based in the U.K.

Dig Deeper on Web application and API security best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.