Criminal gangs have acquired login details for more than 200,000 websites.
According to Ian Amit, director of security research at Aladdin Knowledge Systems, the US Postal Service site is one of those that has been compromised and used to attack users' PCs with exploit code.
Amit found and infiltrated a server belonging to a long-time customer of Neosploit, a hacker toolkit used by cyber criminals to launch exploits against browsers and popular Web software such as Apple's QuickTime or Adobe Systems' Adobe Reader. He showed logs demonstrating that two or three hacker gangs had contributed to a massive pool of Web site usernames and passwords.
Amit said: “We have counted more than 208,000 unique site credentials on the server, and over 80,000 had been modified with malicious content.”
He further revealed that 80,000 sites had been modified to be used as attack launch pads and each served up exploit code provided by the Neosploit kit to any visitor running a Windows system that had not been fully patched.
The only compromised site he would name was the U.S. Postal Service's at www.usps.gov. The site, and others, have been cleaned of the code that calls Neosploit down on unsuspecting visitors. Also on the list were sites for governments and Fortune 500 companies, universities, and other businesses, including several unnamed weapons manufacturers - more than half the affected sites belong to European companies and organizations.
Amit also gathered evidence of the way the criminals processed the site log-ins to the number of IP addresses authorized to access the credentials. Based on the number of IP addresses and their distribution, he estimated that two or three separate groups were involved.
He said: “The server-based application that validated the credentials and then modified the sites was completely automated. Access to that application was restricted to about six or seven IP addresses, it's clear that that access was intended only for the use of the criminals using the server.”
The groups apparently pooled resources, with site log-in information contributed by multiple users. Amit was not, however, able to determine how the criminals came to the site credentials in the first place. It's possible, he said, that the log-ins were purchased from others, or harvested by a botnet dedicated to the job.
Amit said: “As much as I'd like to optimistic, I'm not fooling myself. They're using a software-as-a-service model, and it will be hard to track down all of them.
“We've exposed the back-end infrastructure of the organization. We've been chasing bugs for a couple of decades now and we need a different approach. That's what we have here. Now we know more about their M.O. and their business model. I hope that this will help both law enforcement and security researchers stay ahead of the game.”