Description: A nasty bug is infecting users via a website. The bug installs a virus from the page that will steal your Filezilla, CuteFTP, (and maybe others), then sends the passwords to a central server. From there they run a bot to access all of the stolen FTP accounts and ten an iframe injection attack on other pages, creating even more infected machines. This is a severe vulnerability.
"When a search engine such as Google detects the infection in a site, they may remove the site from their index, resulting in a financial loss to the site owner. Some browsers may flag the site as infected and show a warning that scares away users.
This attack is interesting because of the way it spreads, and the risk to developers. I would not want to be the freelance Web professional who has to explain to a few dozen clients why their sites all got hacked.
Presumably, this attack vector will eventually be used to install a payload, such as software for sending spam or executing denial-of-service attacks. After all, today's best malware is all about making money.
Big sites have security measures that would probably protect them. But what if a few million small sites are compromised and used to launch a coordinated attack? As we recently saw with Twitter's vulnerability to distributed denial-of-service attacks, there's no such thing as "not my problem" on a shared network like the Internet.
"When a search engine such as Google detects the infection in a site, they may remove the site from their index, resulting in a financial loss to the site owner. Some browsers may flag the site as infected and show a warning that scares away users.
This attack is interesting because of the way it spreads, and the risk to developers. I would not want to be the freelance Web professional who has to explain to a few dozen clients why their sites all got hacked.
Presumably, this attack vector will eventually be used to install a payload, such as software for sending spam or executing denial-of-service attacks. After all, today's best malware is all about making money.
Big sites have security measures that would probably protect them. But what if a few million small sites are compromised and used to launch a coordinated attack? As we recently saw with Twitter's vulnerability to distributed denial-of-service attacks, there's no such thing as "not my problem" on a shared network like the Internet.
