Since the beginning of the Israeli military campaign in the Gaza Strip, thousands of Israeli websites have come under cyber-attacks carried out by hacking groups operating out of Morocco, Lebanon, Turkey, and Iran.

A Moroccan Islamic group hacked into the registration system server of domainthenet.com on last Friday, and the main pages of more than 300 Israeli Web sites were defaced. The group hijacked the domains of major Israeli websites including Israeli Bank Discount, a website for weather forecast and the Israeli Ynet News, a popular Israeli news website. Visitors of the hijacked domains were rerouted to websites featuring images of the casualties of the ongoing Israeli offensive against Gaza, and with anti-Israeli and anti-U.S. messages.

Ynet reported that the hackers obtained a password which granted them access to the server, “which updates and 'translates' the websites' IP addresses into a Domain Name Service; and change the IP's numeral values, effectively rerouting users away from the original websites”. Ynet added also that the hackers did not hack into the actual websites but redirected the users to a “hostile” website, while other hackers managed to access original websites.

It has been also reported that another popular Israeli news website called “debka.co.il” is down due to a cyber attack.

And here comes the cyber response from the Israeli side – a group of Israelis students has built a website which allows any user, even non-technically oriented ones, to attack Hamas websites. The group define itself as “a group of students who are tired of sitting around doing nothing while the citizens of Sderot and the cities around the Gaza Strip are suffering, NO MORE!”. The group says that they “created a project that unites the computer capabilities of many people around the world. Our goal is to use this power in order to disrupt our enemy's efforts to destroy the state of Israel”.

The attack could be performed by downloading a file which launches DoS attacks – the file recurrently refers to the servers on which the Hamas websites are hosted, and the large number of requests will overburden the servers. In cases where the attacked server is no longer able to handle all the requests, the hosted websites will be unavailable. The file is obviously blocked by eSafe due to its malicious nature.

This outbreak of cyber-attacks is typical of the emerging trend of cyberwar. Last year’s Russian-Georgian cyberwar showed how political tensions are usually followed by or preceded by cyber-attacks on targets affiliated with the opposing side.

In the line of our ongoing “education”, we all know by now that eCrime is no longer lurking right there waiting for victims to come knocking, but is rather working vigilantly to ensure that whatever picks up the most interest online at any given moment is being used to boost the profitability of eCrime.

Having said that, starting to look for online shopping sites and figuring out what’s the best Christmas e-tailer to hit on was a bit too much of a hard work. The target picked for this season’s eCrime heist was a payment provider nonetheless. Checkfree.com had their DNS records hacked in an attempt by eCriminals to catch onto the beginning of the month bill payments. Customers trying to use the Checkfree service have been redirected to a server hosted in Ukraine which presented them with a blank page and attempted to exploit their browsers and install a Trojan into their systems.

Just like in any other seasonal event (1, 2), we were all expecting the Christmas shopping season to be littered with eCrime attacks (and we are still seeing a rise in the number of threats related to online shopping sites), but this one is really a step up in the level of audacity exhibited by cybercriminals.

After using Geocities as its main redirection point, Koobface worm is now taking advantage of Google’s Blogger to redirect Facebook users to malware websites.

In this latest attack, the worm sends messages to Facebook users urging them to watch a video which appears to be on Blogger. Victims of this attack will end up infecting their system with the latest Koobface worm from a fake YouTube website. In order to randomly create Blogger accounts to be used for the redirections to the malicious domains, this Koobface variant requires a little help from you, to read CAPTCHAs.

This attack uses tempting messages such as “You look so fine in this video”; here is how the messages may look like:

If the user complies with this message and clicks the proposed blogpost.com link, he will get redirected to a fake YouTube website. The fake YouTube will require the user to install an alleged “Adobe Flash Player Installer” (Flash_Update.exe) in order to be able to watch the video. Executing Flash_Update.exe will infect the system with Koobface worm.

The following details explain how this attack works:
Flash_Update.exe downloads a couple of executables: google_reg.exe and captcha.exe from aibcvienna.org, which appears to be a legitimate website compromised by the hackers, into the affected system. It’s important to note that the domain also includes other executables tailored for hi5 and Myspace users.

The file google_reg.exe attempts to create new Google accounts, where it needs the help of humans in reading the CAPTCHA. It uploads the CAPTCHA image to a server and waits for captcha.exe to download it. The captcha.exe drops a file named captcha5.dll into the Program Files directory and runs it using rundll32.exe, a system file used for executing .dll files. The dropped dll file displays a shutdown window which freezes the system and threatens the user to enter the characters seen in an image before a 3 minutes countdown timer ends. The image is in fact the CAPTCHA that google_reg.exe is waiting for to be deciphered by the victim.

Once entered, the characters will be sent back to the server where google_reg.exe is waiting for them to finish creating the blogspot.com account for later use of attacking other Facebook users.

As promised, the AIRC Threat Report for November is out.

And as also promised, the link to McColo is revealed here – during the time when we were looking at the criminal server, we have had the opportunity to observe that someone is logged onto the server at the same time, and the connection came from… McColo. 

For those of you who are wondering – no, we did not “hack”, “infiltrate” or “break” into the server. Sometimes the simplest things let you see what’s behind the mirror (and legally).

And the leader according to the highly non-scientific research done using Google for a specific attack vector is: Barack Obama. Obama related sites have managed to get infected in such a way that they attack their visitors in 364 separate instances, while McCain is right behind with 230 instances.

As always, and as we have reported in the past, those behind eCrime are watching the news as diligently as the rest of us and are “affected” by current affairs in terms of the ways they tune their attack vector to achieve maximum exposure to their target market. The financial situation, jobs, housing, and now the US elections are causing a shift in the context of the sites targeted to carry malicious code and perform web attacks in order to gain as many “eyeballs” as possible.

Now, given that this example is just the tip of the iceberg, and only gives a general idea on one specific attack vector, the conclusion is pretty obvious in terms of the global magnitude of having relevant sites infected with Malweb. Do the math, Google’s own tools enable some pretty insightful data into the search trends (and thus the chances that a site that comes up in one of the first 100 results of such search terms) both for sociological and technological studies, as well as for eCrime market reach optimization.

(Image showing Google’s trends search volume for the phrases “john mccain” and “barack obama”)

Now that’s why security research is a little more than just playing cat-and-mouse with a technological attack or a new vulnerability. Security research is also the understanding of how the motive and MO of the attackers work in order to be prepared for the next wave and the next technological advancements.