Chinese Internet Security Response Team Under Attack
A recent post by the team at the Chinese Internet Security Response Team to their English-language site indicates that some of the site visitors are experiencing an attack from the CISRT.org site as a result of an injected IFRAME tag.
Injected IFRAME tags are not a new means of using legitimate sites to launch attacks on unsuspecting users, with a recent notable case being the Bank of India hack. What is different in this case is that the hack is only being served to seemingly random site visitors.
This is actually quite an interesting method that can will extend the useful life of a hack by making it harder to isolate and investigate. With intermittent attacks on visitors it also means that investigators need to look at all of the intermediate connections between site visitors and the website. With multiple reports from different users it suggests that whatever is happening is not due to an infection on the systems belonging to site visitors.
Attention is currently being focussed on the possibility of an ARP spoofing / injection attack that is directing visitors to download malicious content from either nmmmn.com or ganbibi.com. To be successful against a broad sample of visitors, from a number of ISPs, such an attack would need to be launched and maintained from either the webhost / server hosting the CISRT website, or from a network chokepoint(s) that is common to most requests coming into the site.
3 October 2007
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.