Unlike the widespread iFrame attacks that proliferated across the Web during 2007, threats created using the Random JS Toolkit will also be much harder for security researchers to track down because they do not lead back to central sites where the actual malware code itself is hosted, Finjan maintains.
Since the involved malware code is loaded directly on a site, and it won't attempt infect the same computer or IP address twice, traditional URL blacklisting and signature-based techniques will likely prove futile against the attack, the company said.
However, from what the security appliance vendor can deduce, Ben-Itzhak said the firm believes there is only one malware group currently using the toolkit.
"From what we can tell, all the information flowing back from the compromised sites is heading to the same server," he said. "This indicates that there is probably only one group controlling this malware code thus far, and that they are probably being very successful; this is just another step forward for the criminals involved to continue to improve their attack methods and remain undetected."
Ben-Itzhak said that the involved server is not one that matches any of the company's lists of machines controlled by well-known malware authoring groups such as the Russian Business Network. The server the company is tracking was originally located in Europe, but has recently been moved to China -- and likely will continue to be moved around to avoid detection, according to the expert.
Most of the data the security company has seen being sent to the server has been related to online banking username and password data, he said.