Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Malicious Actors Use “Drive-by-Login” Technique in Targeted Attacks

High-Tech Bridge has spotted an interesting attack in which the threat actor used what researchers believe is a new vector for delivering malware to a targeted individual.

High-Tech Bridge has spotted an interesting attack in which the threat actor used what researchers believe is a new vector for delivering malware to a targeted individual.

Dubbed by the security firm “drive-by-login,” the technique is similar to drive-by downloads in which malware is delivered to victims when they visit the attacker’s website. However, in drive-by-login attacks, the attacker sets up malicious code on a website he knows the victim is going to visit. The malicious code is designed to deliver malware only to the targeted user, not all website visitors.

High-Tech Bridge analyzed such an attack after being alerted by the owner of a medium-size online store in Central Europe. The customer noticed that his website was trying to infect his computer with malware. Initially, researchers believed it might have been a false positive since they didn’t see any attempts to deliver malware, but a closer investigation revealed that it was actually a cleverly staged targeted attack.

The online store had been running osCommerce Online Merchant v2.3.4, a version released in June 2014. On the targeted server, researchers discovered an osCommerce backdoor file named “ozcommerz_pwner.php.bak.”

“The backdoor patches the ‘/includes/application_bottom.php’ osCommerce script with a malicious code that loads arbitrary remote content (malware) based on website visitor’s IP or on visitor’s profile email (for registered customers only),” High-Tech Bridge explained in a blog post.

In order to avoid raising suspicion, the backdoor restores the modified script’s timestamp to make the file appear unchanged. Once the malware is delivered, the content of the “application_bottom.php” script is restored to ensure that if the attack is analyzed, the malicious code is not accessible to investigators.

In the attack against the owner of the Central European online store, the malicious actors had already restored the file’s content before researchers analyzed it. However, experts managed to find a copy of the backdoor in one of the backups.

The backdoor, which isn’t detected by any antivirus engine as being malicious, was set up to deliver malware only when the IP and email address of the targeted store owner was detected.

Advertisement. Scroll to continue reading.

The malicious code didn’t deliver the malware directly. Instead, it was designed to redirect the victim to a popular exploit kit, which attempted to push the threat onto the user’s system by leveraging recently patched Adobe Flash Player vulnerabilities.

In the attack analyzed by High-Tech Bridge, the malicious actor also stole the shop’s database. The website was apparently compromised through the exploitation of a vulnerable third-party plugin.

According to researchers, drive-by-login attacks can be highly dangerous because they don’t require any social engineering and they can’t be prevented through security training. An attacker only needs to compromise a website that the targeted individual is likely to visit, and obtain information that will help single out the victim. Such information is not difficult to obtain since users often expose themselves on social networks and websites, Ilia Kolochenko, the CEO of High-Tech Bridge, told SecurityWeek.

Another problem with drive-by-login attacks is that they are difficult to detect by malware and website scanning services since the threat is only delivered to the targeted user.

“Malware scanning solutions are unlikely to detect anything, simply because the malware won’t be injected to the solution crawler that checks the website. Malware is injected only to one specific victim, and only this victim can notice the malware,” Kolochenko explained.

The expert says the best way to mitigate such threats is by deploying a sophisticated file integrity monitor, ensuring that the Web server is properly patched and configured, and by performing penetration testing on a regular basis.

“Drive-by-login attacks mean that no websites are safe anymore. Any website, regardless it’s size or purpose, may become a victim of targeted and sophisticated hack. Finally, this means that no websites can be considered secure or trusted anymore. This is the beginning of the end of safe web,” said Marsel Nizamutdinov, chief research officer at High-Tech Bridge.

Kolochenko believes it’s unlikely that the drive-by-login vector will be leveraged in mass attacks, but he is confident that the number of attacks targeting individuals or small groups of what he calls “VIP victims” will increase.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.