Mass Meshing Injection Attack – A Real Threat To SMB

by Monsoon

Jul2011 07

web design blog

 

How many SMB(small medium businesses) consider security at the top of their list in terms of business objectives? Not many… but it should really be given higher priority as any security breaches come with an expensive price tag. According to a survey conducted by a security and document-destruction company Shred-It, found that 96 percent of the small business owners realise the importance of keeping information secure, but lack the practicing.

 

In a nutshell the survey also revealed that,

  • 25% of the companies have never done a security review whereas
  • 35% of the companies had no protocol in place for dealing with secure data.

 

Well, cyber attacks are always a concern for the online business. Over the last few years, SQL Injection has been a top security concern for the online businesses due to recent media stories.  After the most recent SQL Injection attack, so-called Lizamoon attack, the hackers no longer laid back and brought up their new innovative way of affecting websites where the attackers have created a dynamic script that sends visitors to a previously compromised Web Server and thus the affected websites form a big meshed network and hence the name ‘Mass Meshing Injection Attack’.

 

Let’s take a look at the basic difference between SQL Injection and Mass Meshing:

Type of attack Mass SQL Injection Mass Meshing Injection
Victim criteria Victims have to be tricked into a) downloading a binary and b) executing the binary, in order to be infected Victims visit the website and are infected without their knowledge, no clicking required (drive-by download)
Number of infected sites Google: 5600
Cisco: 1154
Throughout 7 months		 20,000-30,000
June 7th to now, 8 days
Google blacklisting rate Don’t know 20%, made difficult due to mass meshing
Blacklisting Easy, because most redirectors are maliciously registered, so they can be blacklisted forever Harder, because redirectors are infected but otherwise legitimate websites, and so they must be removed from blacklisting once cleaned
Injection method SQL injection, error-prone, low success rate. Cannot delete what’s been injected. Injections do not change FTP, total control of files on the website, that’s why they can do meshing. Injected script changes often; replaced with new ones
Injection content Same for all infected websites Different for every infected sites

 

Armorize’s, chief technical officer Wayne Huang has highlighted “We found that the infected websites form a big mesh—everybody is injected with a malicious script that points to each other. Every infected web site is serving as a redirector for one another. You can’t blacklist anybody, because everyone is a redirector.”

 

In this mass meshing attack, out of the 700 compromised websites that belonged to the mesh network:

  • Only 20 percent of the sites have been blacklisted by Google based on the sidename.js Mass Meshing Injection Attack.
  • Another 10 percent was already blacklisted previously for a number of reasons.

 

At the moment, there is not much the average small or midsize owner of the business can do to defend against the wave of mass meshing attacks. In addition to this, mass-meshing attackers are equipped with tools that can quickly re-infect the websites that was cleaned.

 

In conclusion, they have highlighted that the owner of an infected websites had two outcomes:

  • The hackers will take control of the visitor’s PCs, and there is 20% chance that Google will classify the website as malicious and blacklist it.
  • In the second outcome, anyone using Google search to find the site will not be able to access it.

 

Huang recommends the following solutions for infected websites. They are:

  • “The first response for many SMBs-particularly those with limited internal IT Staff—should be to call their Web hosting provider. The good ones, Huang said, will often be able to help and may have already identified a fix, particularly if they have other affected other customers.
  • Change your site’s admin password, but don’t do so immediately: First run an antivirus scan on the PC. If it’s infected, the attacker will have to access to the new password too.
  • Scan your systems—including files, databases and config files—for backdoors. Huang concedes that this might exceed the comfort zone of small SMB owners and staff; in that case, it might be time to bring in an outside vendor.
  • Finally, when the site is clean and secure, begin the crucial process of restoring its traffic and reputation. Google’s webmaster tools allow for blacklisted sites to request re-evaluation for starters.”


Share on Facebook Tweet this on Twitter Share on Stumbleupon Share on del.icio.us Digg this Share on Linkedin Send by Email Shar on Google More options...
« Online Businesses – You need to listen to your customers to succeed
Is Facebook’s new video chat launch with Skype a success? »

Have Your Say...

  • PeterPatrickGo July 8, 2011 Comment Arrow

    The Sony issue should be the SQL injection crime.

Who We Are

With a mix of business, marketing, design and technical skills all under the one roof, we have the full in-house capabilities to design, market and manage all your digital needs. So dive in, take a look around and if you like what you see get in touch.

Enquiries
General enquiries: hello@psmdigital.com
Support: visit the FAQs
The PSM Digital Newsletter

Subscribe to our Newsletter and stay up to date with the latest news, offers and tech-talk.

Web Design & more

Being a digital agency, we don't just do websites, we provide many other services currently in demand within the digital world

View Sitemap >