Researchers find spike in malware targeting online payment

By Stuart Sumner
06 Dec 2011 View Comments
Data security

Researchers have seen a significant increase in the number of legitimate financial transaction web sites hacked in order to infect visitors with malware.

The malware then provides cyber criminals with access to the visitors' machines.

Further reading

Writing on security firm Eset's blog, David Harley, senior research fellow at Eset, said the most frequently exploited vulnerabilities leading to system infection with malware are found in Java software.

"In the last year, Java has outpaced last year's 'leaders' in exploitable application formats such as PDF and SWF (Adobe Flash file format)," he wrote.

"The vulnerabilities in Java are easier and more consistently exploitable than those in PDF and SWF. The code required for a working exploit is fairly small, and may be only a page in length."

This is in line with a recent security report from software giant Microsoft, stating that Java was the most attacked platform in the first half of 2011.

The exploit kit – software used to build and configure malware – used in the attacks that were spotted by Eset is known as Black Hole.

Harley explained it is designed to change the code it writes (or 'drops') onto infected machines once antivirus software becomes aware of it.

"To prevent antivirus software detecting the dropper, the Black Hole exploit kit includes functionality for measuring dropper detections by the most widely used antivirus software," he claimed.

"When the number of detections reaches a defined value, the dropper is repacked by the service responsible for it."

This means that once repacked, antivirus software would fail to detect the malicious code as it would appear to be a new, unrecognised programme, despite functioning in the same way as before its repacking."

He added that cyber criminals are as comfortable – if not more so – as traditional enterprises in using flexible pricing models and rentable services.

"The price for Black Hole – including support – is in the order of several thousand US dollars, but cyber criminals offer rather flexible pricing: thus, it is possible to rent the service for less money," said Harley.

Most of the sites infected with the Black Hole kit are based in Russia. However, it is possible that the tool will become more commonly used in other countries once its success has been acknowledged in hacker communities.

Reader comments
blog comments powered by Disqus
Newsletters
Windows 9 - what do you want?

What would your business require from Windows 9 "Threshold" to make it an attractive proposition?

32 %
4 %
8 %
7 %
49 %