Large amount of cross-site scripting attacks see websites compromised

News by Dan Raywood

Around 1,500 popular websites have been compromised due to users passing on a cross-site scripting attack.

Around 1,500 popular websites have been compromised due to users passing on a cross-site scripting attack.


ScanSafe announced the discovery of a new series of website compromises, that it has collectively dubbed ‘Gumblar'.


It claimed that it has been observing large numbers of website compromises that include a cross-site scripting attack that gives control of websites to tamper with Google search results.


As it can also steal FTP credentials, if a victim runs a website the attackers can gain access to it, and can inject the malicious Gumblar script into it. This can cause fast growth of the attacks, as new victims spread the infection to potential new sites that can be compromised.


Mary Landesman, senior security researcher at ScanSafe, claimed that this is a vicious cycle, and one that has led to 80 per cent growth in the number of compromised sites this week compared to last week.


Landesman said: “Because of the complexity of the Gumblar compromises, detection via traditional methods, like signature detection and blacklisting, are ineffective. Gumblar's sophistication and incredible growth rate should serve as a wake up call to the IT community. As cybercrime evolves in sophistication, so must our protection against it.


“The cybercriminals responsible for Gumblar have learned to morph its features quickly. This, coupled with Gumblar's other dynamic characteristics, is allowing the compromise to disseminate more rapidly than others we've seen.”


Google has de-listed the compromised websites upon discovering the breach. Although ScanSafe claimed that the attackers realised this and began replacing the suspect IP address with another IP address, allowing the compromised sites to once again be listed by search engines.


Landesman claimed that both the injection and the redirection occur locally, on the compromised computer, and not on the search engine itself.


“I was asked yesterday for an estimate of how much money the attackers might be making from the Google search redirects. It's an impossible question to answer; I wouldn't even want to hazard a guess”, said Landesman.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews