New Injection Attack Compromises More Than 40,000 Websites
"Nineball" exploit is distinct from Gumblar, Beladen, researchers say
By Tim Wilson | DarkReading
A new injection attack that redirects users' Web search queries is in the wild, and researchers at Websense believe it may have already affected more than 40,000 sites.
In a blog posted yesterday, Websense researchers indicated that more than 40,000 legitimate sites have been compromised with "obfuscated code that leads to a multilevel redirection attack, ending in a series of drive-by exploits which, if successful, install a Trojan downloader on the user's machine."
When users visit one of the infected sites, they are redirected through a series of different sites owned by the attacker and brought to the final landing page containing the exploit code, the researchers say. The final landing page records the visitor's IP address.
When the site is visited for the first time, the user is directed to the exploit payload site. But if the user returns from the same IP address, he is simply directed to the benign site of Ask.com, the researchers report...
Continue Dark Reading
