Phishing scams are one of the most widespread types of online fraud today, prompting the Federal Trade Commission, the Better Business Bureau and many other companies and consumers' groups to find ways to teach people to avoid getting scammed. "Phishers" normally persuade people to visit fake Web sites by enticing them through e-mail messages.
Thursday's Web site attack is a new direction for online criminals, said Dave Endler, director of digital vaccine for TippingPoint, an Internet security company based in Austin, Texas. "Instead of relying on the typical phishing e-mail scams to social engineer users into visiting malicious spoofed Web sites, these attackers actually went straight to the source and compromised known trusted Web sites in order to infect their visitors," he said.
Joe Stewart, senior security researcher for Chicago-based Internet security firm LURHQ, said that the programs installed on victims' computers were designed to wait until the user visited a Web site like Paypal or Ebay. If the program had worked correctly, people would have seen pop-up screens on their monitors asking them to enter their credit card numbers or other financial data.
"Phishing has moved from an e-mail attack to one that's really being brought to the desktop," Stewart said.
Ken Dunham, malicious code manager for Reston, Va.-based security company iDefense, said the attack bears the trademark signatures of the Hangup Group, a Russian hacker organization thought to be responsible for unleashing the recent "Korgo" worms. Korgo worms allow hackers to read what people are typing on their computers and scours infected PCs for other financial information.
According to SANS, most large Internet service providers stopped forwarding Internet traffic to the Russian Web site that hosts the "keylogging" software.
FBI spokesman Joe Parris declined to say whether the agency is investigating this particular attack. But Parris said hackers commonly use similar Trojan horse techniques. "We work closely with Microsoft in investigating matters of this type and always follow up on any information provided by industry," he said.
Dunham and other security experts said they expect this kind of attack to become more widespread in coming weeks and months.
"These guys have the tools, techniques and motivation to launch highly sophisticated attacks that are very difficult for consumers to protect themselves against," he said. "Whoever is responsible has just seen how well this attack works, and other (hacker groups) are almost surely going to take notice."
Stephen Toulouse, a security program manager at Microsoft, said the company does not believe the attack is widespread. "Nonetheless, we view this is a very real threat, with serious significance in terms of the potential impact on our customers," he said.
Toulouse said the company is gathering information on the attack and will hand it over to the FBI.
Security experts said it is not yet clear which Microsoft vulnerability the attackers used to commandeer the Web sites. Ullrich said the culprit is a flaw in the way IIS processes secure login pages for Web sites that require users to enter a username and password. Microsoft released a patch for that flaw in April in a massive bundle of security fixes.
Toulouse said that the proprietors for the majority of sites affected by the attack failed to install the patches.