Web attack aims to steal surfers' financial details

A new Internet attack discovered late Thursday was designed by an infamous group of Russian virus writers to steal credit card and other financial information from Web surfers and send it to Web sites where it can be retrieved by hackers, security experts warned Friday.

Mikko Hyppönen, director of antivirus research at Helsinki antivirus company F-Secure Corp., said his team had stayed up all night examining details of the new threat and have connected it with a known Russian virus writing group called Korgo.

According to Hyppönen, the group has hacked into Web servers of some major Internet service providers that host "huge" Web sites, such as an online auction site and banking sites, to append malicious code to their pages. This code, which security researchers are calling "Scob," connects the user's PC to Web addresses run by the hackers from which they can silently download and install a Trojan horse. This then uses a keystroke logger to collect Web surfers' passwords, logins, PayPal payment data and other sensitive information, Hyppönen said, and then send them to Web sites where the hackers can retrieve them.

"It just boggles the mind when you see the amount of information available on these sites -- credit card numbers, banking information -- and its available to anyone who knows the Web sites," Hyppönen said.

He added, however, that the Web addresses where the information is being stored are not obvious and that potential hackers would have to reverse engineer the code to find them.

Law authorities, who were already investigating the Korgo group, have an open investigation into the case and are working on shutting down the sites, Hyppönen said.

Graham Cluley, senior technology consultant at security firm Sophos PLC, said that his team has also connected the threat to the Korgo group. However, he said that in their research they have not been able to get through to the Web addresses that download the Trojan horse.

"So far it doesn't cause much harm, but the hackers could choose to redirect users to other addresses that work," he said.

Cluley also warned that the hackers could choose to change the Trojan horse, enabling it to launch a spam or denial-of-service (DOS) attack. "The world is really their oyster," he said.

Security experts have said that the attack only affects users of certain versions of Microsoft Corp.'s Internet Explorer browser.

Additionally, Cluley said that it appears that the threat only affects Web servers running Microsoft IIS 5 (Internet Information Services) Web Server software and not Microsoft IIS 6, which comes with Windows 2003 Server.

In the meantime, various antivirus firms are working to update their products to protect against the threat. As of early Friday morning, F-Secure had updated its offering to protect users, Hyppönen said, and he expected other companies to follow shortly.

Additionally, Cluley said that there has been some evidence that Web sites have been able to avoid the threat because they downloaded a patch made available by Microsoft in April to thwart the Sasser worm.

"Our advice is that everyone download the Sasser patch, " Cluley said. "And really, sites that haven't done so yet, that have slept through the whole Sasser hoopla, really cannot say that they take their network security seriously."

Because most sites should have patched against Sasser, and Sophos has been unable to connect to the addresses hosting the Trojan horse code, Cluley believes that the attack is not a huge threat so far. However, he warned that this could change.

The threat was initially detected late Thursday, with managed security services firm NetSec Inc. and the SANS Institute's Storm Center warning against the vulnerability.

So far all of the security researchers have remained tight-lipped about which major Web sites are being affected by the attack. It is also unclear how many users and sites have been affected so far.