Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Stepping Through A Mass Web Attack

image
MICHAEL SUTTON
November 13, 2008 - 4 min read
Security Insights

Contents

  1. Article
  2. More blogs

A few days ago, Kaspersky reported on yet another mass web attack. Such attacks are quickly becoming a preferred attack vector as they permit mass infection with minimal effort. We've seen this before, and not just once. In fact, it seems to be popular among Chinese hackers and is often used to gather authentication credentials for online games. While it hasn't yet been verified, it appears that SQL injection vulnerabilities on vulnerable servers led to the initial infection. All infected servers seem to be running Microsoft ASP pages, a common target for those seeking sites vulnerable to SQL injection.

I'm fascinated by such attacks as they illustrate the interconnected nature of the web and shatter the myth that you are safe if you stick to browsing reputable sites. Sadly, reputable sites struggle with vulnerabilities on a regular basis. The unfortunate reality is that any site, no matter how big or small, could be infected. In this latest attack, Travelocity was compromised. While vulnerable servers were infected, the true targets of these attacks are the end users which visit the sites. I've been preaching for some time now that we need to shift our focus from servers to browsers. We spend the majority of our security resources locking down servers and put minimal effort into protecting users browsing the web. Attackers have shifted their focus and we must do the same.

Attack Walk-Through

According to Kaspersky, the attack leverages multiple browser vulnerabilities and a variety of sites to host the attack scripts and malicious code. In order to better understand how these attacks succeed, let's walk through one such attack scenario which was live at the time this blog was written:

Step 1 - Server Infection

The attack begins by injecting code onto as many vulnerable web servers as possible. This is commonly accomplished via SQL injection. In this specific example, the following code was injected:

  1. Surfing 'reputable sites' is not guaranteed to prevent infection.
  2. A server side compromise is often the first step in a client side attack.
  3. Defense in depth is critical. In this situation, the threat can be mitigated by patch management, network and host based AV and blocking malicious URLs.

Happy surfing!

- michael

form submtited
Thank you for reading

Was this post useful?

vote yes
Yes, very!
vote no
Not really

Disclaimer: This blog post has been created by Zscaler for informational purposes only and is provided "as is" without any guarantees of accuracy, completeness or reliability. Zscaler assumes no responsibility for any errors or omissions or for any actions taken based on the information provided. Any third-party websites or resources linked in this blog post are provided for convenience only, and Zscaler is not responsible for their content or practices. All content is subject to change without notice. By accessing this blog, you agree to these terms and acknowledge your sole responsibility to verify and use the information as appropriate for your needs.

Explore more Zscaler blogs

A cyber criminal shopping for malware

Agniane Stealer: Dark Web’s Crypto Threat

Read post
Business people walking through a city

The Impact of the SEC’s New Cybersecurity Policies

Read post
Digital cloud illuminated in blue

Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)

Read post
TOITOIN Trojan

The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region

Read post

01 / 02

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.