High-Tech Bridge has spotted an interesting attack in which the threat actor used what researchers believe is a new vector for delivering malware to a targeted individual.
Dubbed by the security firm “drive-by-login,” the technique is similar to drive-by downloads in which malware is delivered to victims when they visit the attacker’s website. However, in drive-by-login attacks, the attacker sets up malicious code on a website he knows the victim is going to visit. The malicious code is designed to deliver malware only to the targeted user, not all website visitors.
High-Tech Bridge analyzed such an attack after being alerted by the owner of a medium-size online store in Central Europe. The customer noticed that his website was trying to infect his computer with malware. Initially, researchers believed it might have been a false positive since they didn’t see any attempts to deliver malware, but a closer investigation revealed that it was actually a cleverly staged targeted attack.
The online store had been running osCommerce Online Merchant v2.3.4, a version released in June 2014. On the targeted server, researchers discovered an osCommerce backdoor file named “ozcommerz_pwner.php.bak.”
“The backdoor patches the ‘/includes/application_bottom.php’ osCommerce script with a malicious code that loads arbitrary remote content (malware) based on website visitor’s IP or on visitor’s profile email (for registered customers only),” High-Tech Bridge explained in a blog post.
In order to avoid raising suspicion, the backdoor restores the modified script’s timestamp to make the file appear unchanged. Once the malware is delivered, the content of the “application_bottom.php” script is restored to ensure that if the attack is analyzed, the malicious code is not accessible to investigators.
In the attack against the owner of the Central European online store, the malicious actors had already restored the file’s content before researchers analyzed it. However, experts managed to find a copy of the backdoor in one of the backups.
The backdoor, which isn’t detected by any antivirus engine as being malicious, was set up to deliver malware only when the IP and email address of the targeted store owner was detected.
The malicious code didn’t deliver the malware directly. Instead, it was designed to redirect the victim to a popular exploit kit, which attempted to push the threat onto the user’s system by leveraging recently patched Adobe Flash Player vulnerabilities.
In the attack analyzed by High-Tech Bridge, the malicious actor also stole the shop’s database. The website was apparently compromised through the exploitation of a vulnerable third-party plugin.
According to researchers, drive-by-login attacks can be highly dangerous because they don’t require any social engineering and they can’t be prevented through security training. An attacker only needs to compromise a website that the targeted individual is likely to visit, and obtain information that will help single out the victim. Such information is not difficult to obtain since users often expose themselves on social networks and websites, Ilia Kolochenko, the CEO of High-Tech Bridge, told SecurityWeek.
Another problem with drive-by-login attacks is that they are difficult to detect by malware and website scanning services since the threat is only delivered to the targeted user.
“Malware scanning solutions are unlikely to detect anything, simply because the malware won’t be injected to the solution crawler that checks the website. Malware is injected only to one specific victim, and only this victim can notice the malware,” Kolochenko explained.
The expert says the best way to mitigate such threats is by deploying a sophisticated file integrity monitor, ensuring that the Web server is properly patched and configured, and by performing penetration testing on a regular basis.
“Drive-by-login attacks mean that no websites are safe anymore. Any website, regardless it’s size or purpose, may become a victim of targeted and sophisticated hack. Finally, this means that no websites can be considered secure or trusted anymore. This is the beginning of the end of safe web,” said Marsel Nizamutdinov, chief research officer at High-Tech Bridge.
Kolochenko believes it’s unlikely that the drive-by-login vector will be leveraged in mass attacks, but he is confident that the number of attacks targeting individuals or small groups of what he calls “VIP victims” will increase.